%%% invariants.bib -- Bibliography for program invariant detection






%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Daikon
%%%




%%%
%%% Daikon extensions
%%%


@InProceedings{CsallnerS2006:ICSE,
  author = 	 "Christoph Csallner and Yannis Smaragdakis",
  title = 	 "Dynamically discovering likely interface invariants",
  booktitle =    ICSE2006,
  pages = 	 "861--864",
  year = 	 2006,
  address = 	 ICSE2006addr,
  month = 	 ICSE2006date,
  note = 	 "Emerging results track",
  usesDaikon =   1,
  basefilename = "csallner-icse-2006",
  downloads =    "http://ranger.uta.edu/~csallner/papers/csallner06dynamically.pdf PDF",
  abstract =
   "Dynamic invariant detection is an approach that has received considerable
    attention in the recent research literature. A natural question arises in
    languages that separate the interface of a code module from its
    implementation: does an inferred invariant describe the interface or the
    implementation? Furthermore, if an implementation is allowed to refine
    another, as, for instance, in object-oriented method overriding, what is
    the relation between the inferred invariants of the overriding and the
    overridden method? The problem is of great practical interest. Invariants
    derived by real tools, like Daikon, often suffer from internal
    inconsistencies when overriding is taken into account, becoming unsuitable
    for some automated uses. We discuss the interactions between overriding and
    inferred invariants, and describe the implementation of an invariant
    inference tool that produces consistent invariants for interfaces and
    overridden methods.",
}



@InProceedings{KuzminaG2006,
  author = 	 "Nadya Kuzmina and Ruben Gamboa",
  title = 	 "Dynamic constraint detection for polymorphic behavior",
  booktitle = OOPSLA2006companion,
  pages = 	 "657--658",
  year = 	 2006,
  address = 	 OOPSLA2006addr,
  month = 	 OOPSLA2006date,
  note = 	 "Poster",
  abstract =
   "Dynamic invariant detection, the automatic recovery of partial program
    specifications by inferring likely constraints from program executions, has
    been successful in the context of procedural programs. The implementation
    for dynamic invariant detection examines only the declared type of a
    variable, lacking many details in the context of object-oriented
    programs. This paper shows how this technique can be extended to detect
    invariants of object-oriented programs in the presence of polymorphism by
    examining the runtime type of a polymorphic variable, which may have
    different declared and runtime types. We demonstrate the improved accuracy
    of the dynamically detected specification on two real-world examples: the
    Money example from the JUnit testing framework tutorial, and a database
    query engine model example, which we adopted from a commercial database
    application. Polymorphic constraints in both cases are shown to reveal the
    specification of the runtime behavior of the systems.",
  usesDaikon = 1,
  downloads =    "http://portal.acm.org/ft_gateway.cfm?id=1176659&type=pdf&coll=GUIDE&dl=&CFID=15151515&CFTOKEN=6184618 PDF",
  OLDdownloads = "http://www.cs.uwyo.edu/~ruben/sod/nadya/resources/pub/runtime-refined-constraints-tr-uwcs-07-01.pdf extended version (PDF)",
  supersededby = "KuzminaG2007:WODA",
}


@TechReport{KuzminaG2007:TR,
  author = 	 "Nadya Kuzmina and Ruben Gamboa",
  title = 	 "Extending dynamic constraint detection with polymorphic analysis",
  institution =  "University of Wyoming",
  year = 	 2007,
  number = 	 "UWCS-07-01",
  address = 	 "Laramie, WY",
  month = 	 jan,
  usesDaikon = 1,
  supersededby = "KuzminaG2007:WODA",
}


@InProceedings{KuzminaG2007:WODA,
  author = 	 "Nadya Kuzmina and Ruben Gamboa",
  title = 	 "Extending dynamic constraint detection with polymorphic analysis",
  booktitle = WODA2007,
  pages = 	 "57--63",
  year = 	 2007,
  address = 	 WODA2007addr,
  month = 	 WODA2007date,
  abstract =
   "The general technique for dynamically detecting likely invariants, as
    implemented by Daikon, lacks specific object-oriented support for
    polymorphism. Daikon examines only the declared type of a variable which
    prohibits it from examination of the runtime variables in the presence of
    polymorphism.  The approach presented in this paper extends the technique
    to consider the runtime type of a polymorphic variable, which may have
    different declared and runtime types. The runtime behavior of a polymorphic
    variable is captured by \emph{polymorphic constraints} which have the form
    of an implication with the name of the runtime class in the antecedent. We
    demonstrate the improved accuracy of the dynamically detected specification
    on the \texttt{Money} example from the JUnit testing framework
    tutorial. Polymorphic constraints are shown to reveal the specification of
    the runtime behavior of the example.",
  usesDaikon = 1,
  downloads = "http://dx.doi.org/10.1109/WODA.2007.3 PDF",
  OLDdownloads =    "http://www.cs.uwyo.edu/~ruben/sod/nadya/resources/pub/runtime-refined-constraints.pdf PDF;
                  http://www.cs.uwyo.edu/~ruben/sod/nadya/resources/pub/runtime-refined-constraints-tr-uwcs-07-01.pdf extended version (PDF)",
}



@InProceedings{KuzminaPGC2008,
  author = 	 "Nadya Kuzmina and John Paul and Ruben Gamboa and James Caldwell",
  title = 	 "Extending dynamic constraint detection with disjunctive constraints",
  booktitle = WODA2008,
  pages = 	 "57--63",
  year = 	 2008,
  address = 	 WODA2008addr,
  month = 	 WODA2008date,
  abstract =
   "The languages of current dynamic constraint detection techniques are
    often specified by fixed grammars of universal properties. These
    properties may not be sufficient to express more subtle facts that
    describe the essential behavior of a given program. In an effort to make
    the dynamically recovered specification more expressive and
    program-specific we propose the state space partitioning technique as a
    solution which effectively adds program-specific disjunctive properties
    to the language of dynamic constraint detection. In this paper we
    present ContExt, a prototype implementation of the state space
    partitioning technique which relies on Daikon for dynamic constraint
    inference tasks.
    \par
    In order to evaluate recovered specifications produced by ContExt, we
    develop a methodology which allows us to measure quantitatively how
    well a particular recovered specification approximates the essential
    specification of a program's behavior. The proposed methodology is then
    used to comparatively evaluate the specifications recovered by ContExt
    and Daikon on two examples.",
  usesDaikon = 1,
  downloads = "http://www.cs.uwyo.edu/~jlc/papers/woda_08.pdf PDF",
  OLDdownloads = "http://www.cs.uwyo.edu/~ruben/sod/nadya/resources/pub/disj-constraints.pdf PDF",
  ACMdownloads = "http://dl.acm.org/citation.cfm?id=1401839 PDF",
}



@TechReport{PolikarpovaCM2008,
  author = 	 "Nadia Polikarpova and Ilinca Ciupa and Bertrand Meyer",
  title = 	 "A comparative study of programmer-written and automatically inferred contracts",
  institution =  ETHZ,
  year = 	 "2008",
  number = 	 "608",
  address = 	 ETHZaddr,
  month = 	 sep,
  abstract =
   "Where do contracts --- specification elements embedded in executable code
    --- come from? To produce them, should we rely on the programmers, on
    automatic tools, or some combination?
    \par
    Recent work, in particular the Daikon system, has shown that it is possible
    to infer some contracts automatically from program executions. The main
    incentive has been an assumption that most programmers are reluctant to
    invent the contracts themselves. The experience of contract-supporting
    languages, notably Eiffel, disproves that assumption:  programmers will
    include contracts if given the right tools. That experience also shows,
    however, that the resulting contracts are generally partial and
    occasionally incorrect.
    \par
    Contract-inference tools provide the opportunity for studying objectively
    the quality of programmer-written contracts, and for assessing of the
    respective roles of humans and tools. Working on an industrial base of
    contract-equipped software, we applied Daikon to infer contracts, and
    compared the results with the already present contracts.
    \par
    We found that a contract inference tool can be used to strengthen
    programmer-written contracts, but cannot infer all contracts that humans
    write. The tool generates around five times as many relevant contract
    elements (assertions) as written by programmers; but it only finds about a
    half of those originally written by programmers.
    \par
    The study also uncovered strong correlations between the quality of
    inferred contracts and some other interesting code metrics.",
  usesDaikon = "1",
  OPTbasefilename = "",
  downloads = "ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/6xx/609.pdf PDF",
  supersededby = "PolikarpovaCM2009",
  OPTcategory =  "",
  OPTsummary = 	 "",
}


@InProceedings{PolikarpovaCM2009,
  author = 	 "Nadia Polikarpova and Ilinca Ciupa and Bertrand Meyer",
  title = 	 "A comparative study of programmer-written and automatically inferred contracts",
  booktitle = ISSTA2009,
  pages = 	 "93--104",
  year = 	 2009,
  address = 	 ISSTA2009addr,
  month = 	 ISSTA2009date,
  abstract =
   "Where do contracts --- specification elements embedded in executable code
    --- come from? To produce them, should we rely on the programmers, on
    automatic tools, or some combination?
    \par
    Recent work, in particular the Daikon system, has shown that it is possible
    to infer some contracts automatically from program executions. The main
    incentive has been an assumption that most programmers are reluctant to
    invent the contracts themselves. The experience of contract-supporting
    languages, notably Eiffel, disproves that assumption: programmers will
    include contracts if given the right tools. That experience also shows,
    however, that the resulting contracts are generally partial and
    occasionally incorrect.
    \par
    Contract inference tools provide the opportunity for studying objectively
    the quality of programmer-written contracts, and for assessing the
    respective roles of humans and tools. Working on 25 classes taken from
    different sources such as widely-used standard libraries and code written
    by students, we applied Daikon to infer contracts and compared the results
    (totaling more than 19500 inferred assertion clauses) with the already
    present contracts.
    \par
    We found that a contract inference tool can be used to strengthen
    programmer-written contracts, but cannot infer all contracts that humans
    write. The tool generates around five times as many relevant assertion
    clauses as written by programmers; but it only finds around 60\% of those
    originally written by programmers. Around a third of the generated
    assertions clauses are either incorrect or irrelevant. The study also
    uncovered interesting correlations between the quality of inferred
    contracts and some code metrics.",
  usesDaikon = 1,
  OPTbasefilename = "",
  downloads = "http://se.ethz.ch/~meyer/publications/testing/citadel-issta.pdf PDF",
  OPTdownloadsnonlocal = "",
  OPTcategory =  "",
  OPTsummary = 	 "",
}



@incollection{PalomoDuarteGDMB2010,
year={2010},
isbn={978-3-642-13910-9},
booktitle={Web Engineering},
volume={6189},
series={Lecture Notes in Computer Science},
editor={Benatallah, Boualem and Casati, Fabio and Kappel, Gerti and Rossi, Gustavo},
doi={10.1007/978-3-642-13911-6_45},
title={Takuan: A Tool for {WS-BPEL} Composition Testing Using Dynamic Invariant Generation},
url={http://dx.doi.org/10.1007/978-3-642-13911-6_45},
publisher={Springer Berlin Heidelberg},
keywords={Web services; service composition; WS-BPEL; white-box testing; dynamic invariant generation},
author={Palomo-Duarte, Manuel and García-Domínguez, Antonio and Medina-Bulo, Inmaculada and Alvarez-Ayllón, Alejandro and Santacruz, Javier},
pages={531-534},
language={English}
}


@article{PalomoDuarte20145041,
title = "Automatic dynamic generation of likely invariants for WS-BPEL compositions ",
journal = "Expert Systems with Applications ",
volume = "41",
number = "11",
pages = "5041 - 5055",
year = "2014",
note = "",
issn = "0957-4174",
doi = "http://dx.doi.org/10.1016/j.eswa.2014.01.037",
url = "http://www.sciencedirect.com/science/article/pii/S095741741400061X",
author = "Manuel Palomo-Duarte and Antonio García-Domínguez and Inmaculada Medina-Bulo",
keywords = "Web service composition",
keywords = "WS-BPEL",
keywords = "Dynamic invariant generation",
keywords = "White-box testing ",
abstract = "Abstract The wide adoption of Web Services has led to the development of languages to compose them, like the WS-BPEL standard. In order to check whether the composition works as expected, one common approach is to analyze it and infer functional properties describing its behavior. Traditional approaches for inferring properties in WS-BPEL have been static: compositions are transformed into specialized analysis models based on some formalization. However, this formalization could be inexact due to theoretical limitations or differing interpretations of the standard by implementers. Dynamic invariant generation solves these problems by extracting the properties from actual executions and has been successfully used in popular languages, but not to WS-BPEL yet. In this work, we apply dynamic invariant generation to WS-BPEL, providing innovative solutions for several features that require special consideration, like highly multidimensional values in variables, an advanced type system or unstructured code. We have implemented these solutions in Takuan and evaluated its performance with several compositions of varying complexity. We present the results obtained and a comparative analysis of the efficiency and effectiveness of our solutions. Results show that the solutions are successful in reducing the cost of applying dynamic invariant generation and the number of uninteresting invariants generated. "
}



%%%
%%% Daikon applications
%%%



@InProceedings{RazKS2002,
  author = 	 "Orna Raz and Philip Koopman and Mary Shaw",
  title = 	 "Semantic Anomaly Detection in Online Data Sources",
  booktitle = 	 ICSE2002,
  year =	 2002,
  pages =        "302--312",
  month =	 ICSE2002date,
  address =	 ICSE2002addr,
  usesDaikon =   1,
  basefilename = "raz-icse-2002",
  downloads =    "http://www-2.cs.cmu.edu/~ornar/icse2002.pdf PDF;
		  http://www-2.cs.cmu.edu/~ornar/icse2002.ps PS;
		  http://www-2.cs.cmu.edu/~ornar/icse2002_presentation.pdf Slides",
  abstract =
   "Much of the software we use for everyday purposes incorporates elements
    developed and maintained by someone other than the developer. These
    elements include not only code and databases but also dynamic data feeds
    from online data sources. Although everyday software is not mission
    critical, it must be dependable enough for practical use. This is limited
    by the dependability of the incorporated elements.It is particularly
    difficult to evaluate the dependability of dynamic data feeds, because they
    may be changed by their proprietors as they are used. Further, the
    specifications of these data feeds are often even sketchier than the
    specifications of software components.We demonstrate a method of inferring
    invariants about the normal behavior of dynamic data feeds. We use these
    invariants as proxies for specifications to perform on-going detection of
    anomalies in the data feed. We show the feasibility of our approach and
    demonstrate its usefulness for semantic anomaly detection: identifying
    occasions when a dynamic data feed is delivering unreasonable values, even
    though its behavior may be superficially acceptable (i.e., it is delivering
    parsable results in a timely fashion).",
}


@InProceedings{HangalL02,
  author = 	 "Sudheendra Hangal and Monica S. Lam",
  title = 	 "Tracking down software bugs using automatic anomaly detection",
  booktitle = 	 icse2002,
  year =	 2002,
  pages =        "291--301",
  month =	 ICSE2002date,
  address =	 ICSE2002addr,
}


@InProceedings{HangalCNC2005,
  author = 	 "Sudheendra Hangal and Naveen Chandra and Sridhar
                  Narayanan and Sandeep Chakravorty",
  title = 	 "IODINE: A tool to automatically infer dynamic invariants
                  for hardware designs",
  booktitle =	 DAC2005,
  pages = 	 "775--778",
  year =	 2005,
  address =	 DAC2005addr,
  month =	 DAC2005date
}





@TechReport{GroceV2002,
  author = 	 "Alex Groce and Willem Visser",
  title = 	 "What went wrong: Explaining counterexamples",
  institution =  "RIACS, USRA",
  year = 	 2002,
  number = 	 "02-08",
  supersededby = "GroceV2003",
  usesDaikon =   1,
  basefilename = "groce-tr0208-2002",
  downloads =    "http://www-2.cs.cmu.edu/~agroce/RIACS0208.ps PS",
  abstract =
   "Model checking, initially successful in the field of hardware design, has
    recently been applied to software. One of the chief advantages of model
    checking is the production of counterexamples demonstrating that a system
    does not satisfy a specification. However, it may require a great deal of
    human effort to extract the essence of an error from even a detailed
    source-level trace of a failing run.  We use an automated method for
    finding multiple versions of an error (and similar executions that do not
    produce an error), and analyze these executions to produce a more succinct
    description of the key elements of the error.",
}

@InProceedings{GroceV2003,
  author = 	 "Alex Groce and Willem Visser",
  title = 	 "What Went Wrong: Explaining Counterexamples",
  booktitle =	 SPIN2003,
  pages =	 "121--135",
  year =	 2003,
  address =	 SPIN2003addr,
  month =	 SPIN2003date,
  usesDaikon =   1,
  basefilename = "groce-spin-2003",
  downloads =    "http://spinroot.com/spin/Workshops/ws03/GroceVisser.pdf PDF",
  abstract =
   "One of the chief advantages of model checking is the production of
    counterexamples demonstrating that a system does not satisfy a
    specification. However, it may require a great deal of human effort to
    extract the essence of an error from even a detailed source-level trace of
    a failing run. We use an automated method for finding multiple versions of
    an error (and similar executions that do not produce an error), and analyze
    these executions to produce a more succinct description of the key elements
    of the error. The description produced includes identification of portions
    of the source code crucial to distinguishing failing and succeeding runs,
    differences in invariants between failing and non-failing runs, and
    information on the necessary changes in scheduling and environmental
    actions needed to cause successful runs to fail."
}


@TechReport{XieN2003:TR,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Exploiting synergy between testing and inferred partial
                  specifications",
  institution =  UWCSE,
  year = 	 2003,
  number =	 "UW-CSE-03-04-02",
  address =	 UWCSEaddr,
  month =	 apr,
  usesDaikon =   1,
  supersededby = "XieN2003:WODA",
  basefilename = "xie-tr030402-2003",
  downloads =    "http://people.engr.ncsu.edu/txie/UW-CSE-03-04-02.pdf PDF",
}

@InProceedings{XieN2003:WODA,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Exploiting synergy between testing and inferred partial
                  specifications",
  booktitle =	 WODA2003,
  pages =	 "17--20",
  year =	 2003,
  address =	 WODA2003addr,
  month =	 WODA2003date,
  usesDaikon =   1,
  supersededby = "XieN2003:ASE",
  basefilename = "xie-woda-2003",
  downloads =    "http://people.engr.ncsu.edu/txie/testspecsynergy-woda03.pdf PDF;
                  http://people.engr.ncsu.edu/txie/testspecsynergy-woda03.ppt Slides",
}

@InProceedings{XieN2003:ASE,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Tool-assisted unit test selection based on operational
                  violations",
  booktitle =	 ASE2003,
  pages = 	 "40--48",
  year =	 2003,
  address =	 ASE2003addr,
  month =	 ASE2003date,
  abstract =
   "Unit testing, a common step in software development, presents a
    challenge. When produced manually, unit test suites are often insufficient
    to identify defects. The main alternative is to use one of a variety of
    automatic unit test generation tools: these are able to produce and execute
    a large number of test inputs that extensively exercise the unit under
    test. However, without a priori specifications, developers need to manually
    verify the outputs of these test executions, which is generally
    impractical. To reduce this cost, unit test selection techniques may be
    used to help select a subset of automatically generated test inputs. Then
    developers can verify their outputs, equip them with test oracles, and put
    them into the existing test suite. In this paper, we present the
    operational violation approach for unit test selection, a black-box
    approach without requiring a priori specifications. The approach
    dynamically generates operational abstractions from executions of the
    existing unit test suite. Any automatically generated tests violating the
    operational abstractions are identified as candidates for selection. In
    addition, these operational abstractions can guide test generation tools to
    produce better tests. To experiment with this approach, we integrated the
    use of Daikon (a dynamic invariant detection tool) and Jtest (a commercial
    Java unit testing tool). An experiment is conducted to assess this
    approach.",
  usesDaikon = 1,
  supersededby = "XieN2006",
  basefilename = "xie-ase-2003",
  downloads =    "http://people.engr.ncsu.edu/txie/publications/unittestselect.pdf PDF;
                  http://people.engr.ncsu.edu/txie/publications/unittestselect-ase03.ppt PowerPoint",
}


@Article{XieN2006,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Tool-assisted unit test generation and selection based on
                  operational abstractions",
  journal = 	 ASEjournal,
  year = 	 2006,
  volume = 	 13,
  number = 	 3,
  pages = 	 "345--371",
  month = 	 jul,
  abstract =
   "Unit testing, a common step in software development, presents a challenge.
    When produced manually, unit test suites are often insufficient to
    identify defects. The main alternative is to use one of a variety of
    automatic unit-test generation tools: these are able to produce and
    execute a large number of test inputs that extensively exercise the unit
    under test. However, without a priori specifications, programmers need to
    manually verify the outputs of these test executions, which is generally
    impractical. To reduce this cost, unit-test selection techniques may be
    used to help select a subset of automatically generated test inputs. Then
    programmers can verify their outputs, equip them with test oracles, and put
    them into the existing test suite. In this paper, we present the
    operational violation approach for unit-test generation and selection, a
    black-box approach without requiring a priori specifications. The
    approach dynamically generates operational abstractions from executions of
    the existing unit test suite. These operational abstractions guide test
    generation tools to generate tests to violate them. The approach selects
    those generated tests violating operational abstractions for
    inspection. These selected tests exercise some new behavior that has not
    been exercised by the existing tests. We implemented this approach by
    integrating the use of Daikon (a dynamic invariant detection tool) and
    Parasoft Jtest (a commercial Java unit testing tool), and conducted several
    experiments to assess the approach.",
  usesDaikon = 1,
  basefilename = "xie-ase-2006",
  downloads =    "http://people.engr.ncsu.edu/txie/publications/xiease03-journal.pdf PDF",
}



@InProceedings{XieN2003:FATES,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Mutually enhancing test generation and specification inference",
  booktitle = "FATES 2003: 3rd International Workshop on Formal Approaches to Testing of Software",
  pages = 	 "63--72",
  year = 	 2003,
  address = 	 Montreal,
  month = 	 oct # "~6,",
}


@Misc{Xie2003:JovExplanation,
  author =	 "Tao Xie",
  howpublished = "Personal communication",
  month =	 aug,
  year =	 2003
}


@InProceedings{Xie2002,
  author = 	 "Tao Xie",
  title = 	 "Checking inside the black box: Regression fault exposure
                  and localization based on value spectra differences",
  booktitle =	 "Poster session, Student Research Forum, " # FSE2002,
  year =	 2002,
  address =	 FSE2002addr,
  month =	 FSE2002date,
  usesDaikon =   1,
  downloads =    "http://people.engr.ncsu.edu/txie/TaoFSE-10studentposter.pdf PDF;
                  http://people.engr.ncsu.edu/txie/fseposter.ppt Slides",
  supersededby = "XieN2002:TR",
}

@TechReport{XieN2002:TR,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Checking inside the black box: Regression fault exposure
                  and localization based on value spectra differences",
  institution =  UWCSE,
  year = 	 2002,
  number =	 "UW-CSE-02-12-04",
  address =	 UWCSEaddr,
  month =	 dec,
  usesDaikon =   1,
  basefilename = "xie-tr021204-2002",
  downloads =    "http://people.engr.ncsu.edu/txie/publications/UW-CSE-02-12-04.pdf PDF",
  abstract =
   "We present a new fault exposure and localization approach intended to
    increase the effectiveness of regression testing. In particular, we extend
    traditional regression testing, which strongly focuses on black box
    comparisons, to compare internal program states. These value spectra
    differences allow a more detailed comparison of executions of the new and
    old versions of a program. In particular, our approach checks inside the
    program black box to observe unit behaviors and further checks inside the
    unit black box to observe some internal variable values besides the ones
    propagated outside the unit. This approach exposes faults without requiring
    the faults to be propagated to the outputs of the system or unit. Two
    heuristics are proposed to locate regression faults based on a fault
    propagation model. An experiment is conducted to assess their
    effectiveness. The initial results show our value-spectra-comparison
    approach can increase the regression fault exposure probability effectively
    and identify the locations of regression faults accurately.",
  supersededby = "XieN2004"
}

@InProceedings{XieN2004,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Checking inside the black box: Regression testing based
                  on value spectra differences",
  booktitle =	 ICSM2004,
  pages =	 "28--37",
  year =	 2004,
  address =	 ICSM2004addr,
  month =	 ICSM2004date,
  usesDaikon =   1,
  basefilename = "xie-iscm-2004",
  downloads =    "http://people.engr.ncsu.edu/txie/publications/icsm04.pdf PDF;
                  http://people.engr.ncsu.edu/txie/publications/valuespectra-icsm04-slides.pdf Slides",
  abstract =
   "Comparing behaviors of program versions has become an important task in
    software maintenance and regression testing. Traditional regression testing
    strongly focuses on black-box comparison of program outputs. Program
    spectra have recently been proposed to characterize a program s behavior
    inside the black box. Comparing program spectra of program versions offers
    insights into the internal behavior differences between versions. In this
    paper, we present a new class of program spectra, value spectra, which
    enriches the existing program spectra family. We compare the value spectra
    of an old version and a new version to detect internal behavior deviations
    in the new version. We use a deviation-propagation call tree to present the
    deviation details. Based on the deviation-propagation call tree, we propose
    two heuristics to locate deviation roots, which are program locations that
    trigger the behavior deviations. We have conducted an experiment on seven C
    programs to evaluate our approach. The results show that our approach can
    effectively expose program behavior differences between versions even when
    their program outputs are the same, and our approach reports deviation
    roots with high accuracy for most programs.",
}


@InProceedings{Gupta2003,
  author = 	 "Neelam Gupta",
  title = 	 "Generating test data for dynamically discovering likely
                  program invariants",
  booktitle =	 WODA2003,
  pages =	 "21--24",
  year =	 2003,
  address =	 WODA2003addr,
  month =	 WODA2003date,
  supersededby = "GuptaH2003",
  usesDaikon =   1,
  basefilename = "gupta-woda-2003",
  downloads =    "http://www.cs.nmsu.edu/~jcook/woda2003/papers/Gupta.pdf PDF",
  abstract =
   "Dynamic detection of program invariants is emerging as an important
    research area with many challenging problems. As with any dynamic approach,
    the accuracy of dynamic discovery of likely program invariants depends on
    the quality of test cases used to detect invariants. Therefore, generating
    suitable test cases that support accurate detection of program invariants
    is crucial to the dynamic approach for invariant detection.
    \par
    In this paper, we explore new directions in using the existing test data
    generation techniques to improve the accuracy of dynamically detected
    program invariants. First we discuss the augmentation of existing test
    suites to improve the accuracy of dynamically discovered invariants. The
    augmentation of the test suite may be done prior to running the dynamic
    analysis if the variables and expressions whose values will be monitored at
    runtime are known in advance. On the other hand, the dynamic analysis may
    be run first using an available test suite to obtain an initial guess of
    program invariants. These guessed invariants may then be used to generate
    test cases to augment the test suite. We also propose the use of existing
    test data generation techniques in improving the accuracy of invariants
    guessed using an already available test suite.",
}


@InProceedings{GuptaH2003,
  author = 	 "Neelam Gupta and Zachary V. Heidepriem",
  title = 	 "A new structural coverage criterion for dynamic detection
                  of program invariants",
  booktitle =	 ASE2003,
  pages = 	 "49--58",
  year =	 2003,
  address =	 ASE2003addr,
  month =	 ASE2003date,
  usesDaikon =   1,
  basefilename = "gupta-ase-2003",
  NOdownloads =    "1",
  abstract =
   "Dynamic detection of program invariants is emerging as an important
    research area with many challenging problems. Generating suitable test
    cases that support accurate detection of program invariants is crucial to
    the dynamic approach for invariant detection. In this paper, we propose a
    new structural coverage criterion called Invariant-coverage criterion for
    dynamic detection of program invariants. We also show how the
    invariant-coverage criterion can be used to improve the accuracy of
    dynamically detected invariants. We first used the Daikon tool to report
    likely program invariants using the branch coverage and all definition-use
    pair coverage test suites for several programs. We then generated
    invariant-coverage suites for these likely invariants. When Daikon was run
    with the invariant-coverage suites, several spurious invariants reported
    earlier by the branch coverage and definition-use pair coverage test suites
    were removed from the reported invariants. Our approach also produced more
    meaningful invariants than randomly generated test suites.",
}



@InProceedings{PytlikRKR2003,
  author = 	 "Brock Pytlik and Manos Renieris and Shriram Krishnamurthi
                  and Steven P. Reiss",
  title = 	 "Automated fault localization using potential invariants",
  booktitle =	 AADEBUG2003,
  pages = 	 "273--276",
  year =	 2003,
  address =	 AADEBUG2003addr,
  month =	 AADEBUG2003date,
  usesDaikon =   1,
  basefilename = "pytlik-aadebug-2003",
  downloads =    "http://cs.brown.edu/people/er/papers/renieris-aadebug2003.pdf PDF",
  abstract =
   "We present a general method for fault localization based on abstracting
    over program traces, and a tool that implements the method using Ernst s
    notion of potential invariants. Our experiments so far have been
    unsatisfactory, suggesting that further research is needed before
    invariants can be used to locate faults.",
}

@TechReport{Pytlik2003,
  author = 	 "Brock Pytlik",
  title = 	 "Automatic debugging using potential invariants",
  institution =  "Brown University",
  year = 	 2003,
  type = 	 "Honors Thesis",
  address = 	 "Providence, Rhode Island",
  month = 	 may,
  usesDaikon =   1,
  basefilename = "pytlik-thesis-2003",
  downloads =  "http://cs.brown.edu/research/pubs/theses/ugrad/2003/bpytlik.pdf PDF",
  abstract =     "This thesis does not contain an abstract."
}


@InProceedings{ZimmermannWDZ2004,
  author = 	 "Thomas Zimmermann and Peter Wei{\ss}gerber and Stephan Diehl and Andreas Zeller",
  authorASCII =	 "Thomas Zimmermann and Peter Weissgerber and Stephan Diehl and Andreas Zeller",
  authorASCII2 = "Thomas Zimmermann and Peter WeiBgerber and Stephan Diehl and Andreas Zeller",
  title = 	 "Mining version histories to guide software changes",
  booktitle =	 ICSE2004,
  pages = 	 "563--572",
  year =	 2004,
  address =	 ICSE2004addr,
  month =	 ICSE2004date,
  abstract =
   "We apply data mining to version histories in order to guide programmers
    along related changes: ``Programmers who changed these functions also
    changed...''. Given a set of existing changes, such rules (a) suggest
    and predict likely further changes, (b) show up item coupling that is
    indetectable by program analysis, and (c) prevent errors due to
    incomplete changes. After an initial change, our ROSE prototype can
    correctly predict 26\% of further files to be changed---and 15\% of the
    precise functions or variables.  The topmost three suggestions contain
    a correct location with a likelihood of 64\%."
}


@InProceedings{NSKL2005,
  author = 	 "Sri Hari Krishna Narayanan and Seung Woo Son and Mahmut Kandemir
                  and Feihui Li",
  title = 	 "Using loop invariants to fight soft errors in data caches",
  booktitle =	 "Asia and South Pacific Design Automation Conference",
  pages =	 "1317--1320",
  year =	 2005,
  address =	 "Shanghai, China",
  month =	 jan # "~18--21,",
  usesDaikon =   1,
  basefilename = "n-aspdac2005",
  downloads =    "http://www.mcs.anl.gov/~snarayan/publications/loopinvariants.pdf PDF",
  abstract =
   "Ever scaling process technology makes embedded systems more vulnerable to
    soft errors than in the past. One of the generic methods used to fight soft
    errors is based on duplicating instructions either in the spatial or
    temporal domain and then comparing the results to see whether they are
    different. This full duplication based scheme, though effective, is very
    expensive in terms of performance, power, and memory space. In this paper,
    we propose an alternate scheme based on loop invariants and present
    experimental results which show that our approach catches 62\% of the
    errors caught by full duplication, when averaged over all benchmarks
    tested. In addition, it reduces the execution cycles and memory demand of
    the full duplication strategy by 80\% and 4\%, respectively."
}






@InProceedings{CsallnerS2006:ISSTA,
  author = 	 "Christoph Csallner and Yannis Smaragdakis",
  title = 	 "{DSD}-{Crasher}: A hybrid analysis tool for bug finding",
  booktitle =    ISSTA2006,
  pages = 	 "245--254",
  year = 	 2006,
  address = 	 ISSTA2006addr,
  month = 	 ISSTA2006date,
  abstract =
   "DSD-Crasher is a bug finding tool that follows a three-step approach
    to program analysis:
    \par
    \textbf{D.} Capture the program's intended execution behavior with
    dynamic invariant detection. The derived invariants exclude many
    unwanted values from the program's input domain.
    \par
    \textbf{S.} Statically analyze the program within the restricted input
    domain to explore many paths.
    \par
    \textbf{D.} Automatically generate test cases that focus on verifying
    the results of the static analysis. Thereby confirmed results are never
    false positives, as opposed to the high false positive rate inherent in
    conservative static analysis.
    \par
    This three-step approach yields benefits compared to past two-step
    combinations in the literature. In our evaluation with third-party
    applications, we demonstrate higher precision over tools that lack a
    dynamic step and higher efficiency over tools that lack a static
    step.",
  basefilename = "csallner-issta2006",
  downloads =    "http://ranger.uta.edu/~csallner/papers/csallner06dsd-crasher.pdf PDF;
                  http://ranger.uta.edu/~csallner/cnc/ Implementation",
  usesDaikon =   1,
  supersededby = "CsallnerSX2008",
}


@Article{CsallnerSX2008,
  author = 	 "Christoph Csallner and Yannis Smaragdakis and Tao Xie",
  title = 	 "{DSD-Crasher}: A hybrid analysis tool for bug finding",
  journal = 	 TOSEM,
  year = 	 2008,
  volume = 	 17,
  number = 	 2,
  pages = 	 "8:1--8:37",
  month = 	 apr,
  abstract =
   "DSD-Crasher is a bug finding tool that follows a three-step approach to
    program analysis:
    \par
    \textbf{D.} Capture the program's intended execution behavior with dynamic
    invariant detection. The derived invariants exclude many unwanted values
    from the program's input domain.
    \par
    \textbf{S.} Statically analyze the program within the restricted input
    domain to explore many paths.
    \par
    \textbf{D.} Automatically generate test cases that focus on reproducing the
    predictions of the static analysis. Thereby confirmed results are feasible.
    \par
    This three-step approach yields benefits compared to past two-step
    combinations in the literature. In our evaluation with third-party
    applications, we demonstrate higher precision over tools that lack a
    dynamic step and higher efficiency over tools that lack a static step.",
  usesDaikon = 1,
  downloads = "http://people.engr.ncsu.edu/txie/publications/tosem08-dsdcrasher.pdf PDF",
}



@Article{RenCR2006,
  author = 	 "Xiaoxia Ren and Ophelia C. Chesley and Barbara G. Ryder",
  title = 	 "Identifying failure causes in {Java} programs: An application of change impact analysis",
  journal = 	 TSE,
  year = 	 2006,
  volume = 	 32,
  number = 	 9,
  pages = 	 "718--732",
  month = 	 sep,
  downloads =    "http://doi.ieeecomputersociety.org/10.1109/TSE.2006.90 DOI",
  abstract =
   "During program maintenance, a programmer may make changes that enhance
    program functionality or fix bugs in code. Then, the programmer usually
    will run unit/regression tests to prevent invalidation of previously tested
    functionality. If a test fails unexpectedly, the programmer needs to
    explore the edit to find the failure-inducing changes for that test. Crisp
    uses results from Chianti, a tool that performs semantic change impact
    analysis [1], to allow the programmer to examine those parts of the edit
    that affect the failing test. Crisp then builds a compilable intermediate
    version of the program by adding a programmer-selected partial edit to the
    original code, augmenting the selection as necessary to ensure
    compilation. The programmer can reexecute the test on the intermediate
    version in order to locate the exact reasons for the failure by
    concentrating on the specific changes that were applied. In nine initial
    case studies on pairs of versions from two real Java programs, Daikon [2]
    and Eclipse jdt compiler [3], we were able to use Crisp to identify the
    failure-inducing changes for all but 1 of 68 failing tests. On average, 33
    changes were found to affect each failing test (of the 67), but only 1-4 of
    these changes were found to be actually failure-inducing.",
  usesDaikonAsTestSubject = 1,
}



@InProceedings{ChesleyRR2005,
  author = 	 "Ophelia Chesley and Xiaoxia Ren and Barbara G. Ryder",
  title = 	 "Crisp: A debugging tool for {Java} programs",
  booktitle = ICSM2005,
  pages = 	 "401-410",
  year = 	 2005,
  address = 	 ICSM2005addr,
  month = 	 ICSM2005date,
  usesDaikonAsTestSubject = 1,
  OLDdownloads = "http://www.prolangs.rutgers.edu/~xren/papers/icsm2005.pdf PDF",
  abstract =
   "Crisp is a tool (i.e., an Eclipse plug-in) for constructing intermediate
    versions of a Java program that is being edited in an IDE such as
    Eclipse. After a long editing session, a programmer usually will run
    regression tests to make sure she has not invalidated previously checked
    functionality. If a test fails unexpectedly, Crisp uses input from Chianti,
    a tool for semantic change impact analysis [8], to allow the programmer to
    select parts of the edit that affected the failing test and to add them to
    the original program, creating an intermediate version guaranteed to
    compile. Then the programmer can re-execute the test in order to locate the
    exact reasons for the failure by concentrating on those affecting changes
    that were applied. Using Crisp, a programmer can iteratively select, apply,
    and undo individual (or sets of) affecting changes and, thus effectively
    find a small set of failure-inducing changes.",
}



@InProceedings{DenmatGD2005,
  author = 	 "Tristan Denmat and Arnaud Gotlieb and Mireille Ducass{\'e}",
  authorASCII =  "Mireille Ducasse",
  title = 	 "Proving or disproving likely invariants with constraint reasoning",
  booktitle = "15th Workshop on Logic-based Methods in Programming Environments (WLPE'05)",
  NEEDpages = 	 "*",
  year = 	 2005,
  address = 	 "Sitges (Barcelona), Spain",
  month = 	 oct # "~5,",
  downloads = "http://arxiv.org/pdf/cs.SE/0508108 PDF",
  abstract =
   "A program invariant is a property that holds for every execution of the
    program. Recent work suggest to infer likely-only invariants, via dynamic
    analysis. A likely invariant is a property that holds for some executions
    but is not guaranteed to hold for all executions. In this paper, we present
    work in progress addressing the challenging problem of automatically
    verifying that likely invariants are actual invariants. We propose a
    constraint-based reasoning approach that is able, unlike other approaches,
    to both prove or disprove likely invariants. In the latter case, our
    approach provides counter-examples. We illustrate the approach on a
    motivating example where automatically generated likely invariants are
    verified.",
  usesDaikon = 1,
}


@TechReport{BowringHR2005,
  author = 	 "James F. Bowring and Mary Jean Harrold and James M. Rehg",
  title = 	 "Improving the classification of software behaviors using ensembles of control-flow and data-flow classifiers",
  institution =  "Georgia Institute of Technology College of Computing",
  year = 	 2005,
  number = 	 "GIT-CERCS-05-10",
  address = 	 "Atlanta, GA, USA",
  month = 	 apr,
  usesDaikon = "Kvasir",
  downloads = "http://www.cercs.gatech.edu/tech-reports/tr2005/git-cercs-05-10.pdf PDF",
  abstract =
   "One approach to the automatic classification of program behaviors is to
    view these behaviors as the collection of all the program's
    executions. Many features of these executions, such as branch profiles, can
    be measured, and if these features accurately predict behavior, we can
    build automatic behavior classifiers from them using statistical
    machine-learning techniques. Two key problems in the development of useful
    classifiers are (1) the costs of collecting and modeling data and (2) the
    adaptation of classifiers to new or unknown behaviors. We address the first
    problem by concentrating on the properties and costs of individual features
    and the second problem by using the active-learning paradigm. In this
    paper, we present our technique for modeling a data-flow feature as a
    stochastic process exhibiting the Markov property. We introduce the novel
    concept of databins to summarize, as Markov models, the transitions of
    values for selected variables. We show by empirical studies that
    databin-based classifiers are effective. We also describe ensembles of
    classifiers and how they can leverage their components to improve
    classification rates. We show by empirical studies that ensembles of
    control-flow and data-flow based classifiers can be more effective than
    either component classifier.",
}




@TechReport{EvansP2004,
  author = 	 "David Evans and Michael Peck",
  title = 	 "Simulating critical software engineering",
  institution =  "University of Virginia Computer Science Department",
  year = 	 2004,
  number = 	 "CS-2004-03",
  address = 	 "Charlottesville, VA, USA",
  month = 	 feb,
  usesDaikon = 1,
  supersededby = "EvansP2006",
  abstract =
   "One goal of many introductory software engineering courses is to
    simulate realistic software engineering. Unfortunately, many of
    the practical constraints of typical courses are antithetical to that
    goal: instead of working in large teams on large projects, dealing
    with changing requirements and maintaining programs over many
    years, courses generally involve students working alone or in
    small teams with short projects than end the first time the program
    works correctly on some selected input. Of course, it is
    impossible (and undesirable) to carry out full industrial software
    development within the context of a typical university course.
    However, it is possible to simulate some aspects of safety critical
    software engineering in an introductory software engineering
    course. This paper describes an approach to teaching introductory
    software engineering that focuses on using lightweight analysis
    tools to aid in producing secure, robust and maintainable
    programs. We describe how assignments were designed that
    integrate analysis tools with typical software engineering material
    and reports on results from an experiment measuring students
    understanding of program invariants.",
  usesDaikon = 1,
  downloads = "http://www.cs.virginia.edu/~techrep/CS-2004-03.pdf PDF",
}



@InProceedings{EvansP2006,
  author = 	 "David Evans and Michael Peck",
  title = 	 "Inculcating invariants in introductory courses",
  booktitle = ICSE2006,
  pages = 	 "673--678",
  year = 	 2006,
  address = 	 ICSE2006addr,
  month = 	 ICSE2006date,
  usesDaikon = 1,
  downloads = "http://www.cs.virginia.edu/~evans/pubs/inculcating-packaged.pdf PDF",
  abstract =
   "One goal of introductory software engineering courses is to motivate
   and instill good software engineering habits. Unfortunately, practical
   constraints on typical courses often lead to student experiences that
   are antithetical to that goal: instead of working in large teams and
   dealing with changing requirements and maintaining programs over many
   years, courses generally involve students working alone or in small
   teams with short projects that end the first time the program works
   correctly on some selected input. Small projects tend to reinforce poor
   software engineering practices. Since the programs are small enough to
   manage cognitively in ad hoc ways, effort spent more precisely
   documenting assumptions seems wasteful. It is infeasible to carry out
   full industrial software development within the context of a typical
   university course. However, it is possible to simulate some aspects of
   safety critical software engineering in an introductory software
   engineering course. This paper describes an approach that focuses on
   thinking about and precisely documenting invariants, and checking
   invariants using lightweight analysis tools. We describe how assignments
   were designed to emphasize the importance of invariants and to
   incorporate program analysis tools with typical software engineering
   material and report on results from an experiment measuring students
   understanding of program invariants.",
}




@MastersThesis{Rad2005,
  author = 	 "Soroush Karimi Rad",
  title = 	 "Can structural test adequacy criteria be used to predict the quality of generated invariants?",
  school = 	 "University of Antwerp Department of Mathematics and Computer Science",
  year = 	 2005,
  address = 	 "Antwerp",
  NOmonthAVAILABLE = 	 "*",
  usesDaikon = 1,
  abstract =
   "The use of invariants during software development has many advantages.
    Among other things, invariants can be used to formally specify
    programs, to check certain vital properties at run-time, improve
    communication between programmers and make understanding programs
    easier. Despite these advantages, many programs lack explicit
    invariants. Dynamic invariant generation can automatically derive
    invariants from the program source but needs an initial test
    suite. Moreover, the quality of the generated invariants depends on
    this initial test suite. Many programs have test suites for detecting
    errors which are designed according to structural coverage criteria. In
    order to reuse these test suites for invariant generation, we must
    investigate the ability of structural coverage criteria to produce good
    quality invariants. An experiment was setup to investigate this
    ability. Our results indicate that there is indeed a correlation
    between structural coverage criteria and the quality of the generated
    invariants, but that in some cases this correlation can become weak due
    to other factors.",
  OLDdownloads = "http://www.lore.ua.ac.be/Teaching/Thesis2LIC/2004-2005/thesis_karimi_rad.pdf PDF",
}


@Article{ElbaumD2005,
  author = 	 "Sebastian Elbaum and Madeline Diep",
  title = 	 "Profiling deployed software: Assessing strategies and testing opportunities",
  journal = 	 TSE,
  year = 	 2005,
  volume = 	 31,
  number = 	 4,
  pages = 	 "312--327",
  month = 	 apr,
  abstract =
   "An understanding of how software is employed in the field can yield many
    opportunities for quality improvements. Profiling released software can
    provide such an understanding. However, profiling released software is
    difficult due to the potentially large number of deployed sites that must
    be profiled, the transparency requirements at a user's site, and the
    remote data collection and deployment management process. Researchers have
    recently proposed various approaches to tap into the opportunities offered
    by profiling deployed systems and overcome those challenges. Initial
    studies have illustrated the application of these approaches and have
    shown their feasibility. Still, the proposed approaches, and the tradeoffs
    between overhead, accuracy, and potential benefits for the testing
    activity have been barely quantified. This paper aims to overcome those
    limitations. Our analysis of 1,200 user sessions on a 155 KLOC deployed
    system substantiates the ability of field data to support test suite
    improvements, assesses the efficiency of profiling techniques for released
    software, and the effectiveness of testing efforts that leverage profiled
    field data.",
  usesDaikon = 1,
  downloads = "http://cse.unl.edu/~elbaum/papers/journals/TSE-deployed05.pdf PDF",
}


@InProceedings{YuanX2005,
  author = 	 "Hai Yuan and Tao Xie",
  title = 	 "Automatic extraction of abstract-object-state machines based on branch coverage",
  booktitle = "1st International Workshop on Reverse Engineering To Requirements (RETR 2005)",
  pages = 	 "5--11",
  year = 	 2005,
  address = 	 "Pittsburgh, PA, USA",
  month = 	 nov,
  abstract =
   "Some requirement modelling languages such as UML's statechart diagrams
    allow developers to specify requirements of state-transition behavior in a
    visual way. These requirement specifications are useful in many ways,
    including helping program understanding and specification-based
    testing. However, there are a large number of legacy systems that are not
    equipped with these requirement specifications.  This paper proposes a new
    approach, called Brastra, for extracting object state machines (OSM) from
    unit-test executions. An OSM describes how a method call transits an object
    from one state to another. When the state of an object is represented with
    concrete-state information (the values of fields transitively reachable
    from the object), the extracted OSMs are simply too complex to be
    useful. Our Brastra approach abstracts an object's concrete state to an
    abstract state based on the branch coverage information exercised by
    methods invoked on the object. We have prototyped our Brastra approach and
    shown the utility of the approach with an illustrating example. Our initial
    experience shows that Brastra can extract compact OSMs that provide useful
    information for understanding state-transition behavior.",
  usesDaikon = "Java front end (Chicory?)",
  downloads = "http://people.engr.ncsu.edu/txie/publications/retr05.pdf PDF",
}


@InProceedings{XieN2002,
  author = 	 "Tao Xie and David Notkin",
  title = 	 "Macro and micro perspectives on strategic software quality assurance in resource constrained environments",
  booktitle =	 "4th International Workshop on Economics-Driven
                  Software Engineering Research (EDSER-4)",
  pages =	 "66--70",
  year =	 2002,
  address =	 "Orlando, FL, USA",
  month =	 may,
  usesDaikon =   1,
  basefilename = "xie-edser-2002",
  downloads =    "http://people.engr.ncsu.edu/txie/publications/strategicSQA.pdf PDF",
  abstract =
   "Software quality assurance (SQA) plays a key role in software development
    process. Software quality assurance methods include testing, inspection,
    formal method (program verification, model checking, etc.), static code
    analysis, and runtime verification, etc. A disciplined approach to meeting
    benefit, cost, schedule, and quality constraints is in need. In this paper,
    we propose two perspectives (macro and micro) on strategic software quality
    assurance in resource constrained environments. We present a survey and
    discuss a variety of research opportunities and challenges with these two
    perspectives. Finally we present our research work on test case
    prioritization based on boundary value coverage to tackle strategic SQA
    problems with these two perspectives.",
}







@InProceedings{CovaBFV2007,
  author = 	 "Marco Cova and Davide Balzarotti and Viktoria Felmetsger and Giovanni Vigna",
  title = 	 "Swaddler: An approach for the anomaly-based detection of state violations in web applications",
  booktitle = "Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID)",
  pages = 	 "63--86",
  year = 	 2007,
  address = 	 "Queensland, Australia",
  month = 	 sep # "~5--7,",
  abstract =
   "In recent years, web applications have become tremendously popular, and
    nowadays they are routinely used in security-critical environments, such as
    medical, financial, and military systems. As the use of web applications
    for critical services has increased, the number and sophistication of
    attacks against these applications have grown as well. Most approaches to
    the detection of web-based attacks analyze the interaction of a web
    application with its clients and back-end servers. Even though these
    approaches can effectively detect and block a number of attacks, there are
    attacks that cannot be detected only by looking at the external behavior of
    a web application.
    \par
    In this paper, we present Swaddler, a novel approach to the anomaly-based
    detection of attacks against web applications. Swaddler analyzes the
    internal state of a web application and learns the relationships between
    the application's critical execution points and the application's
    internal state. By doing this, Swaddler is able to identify attacks that
    attempt to bring an application in an inconsistent, anomalous state, such
    as violations of the intended workflow of a web application. We developed a
    prototype of our approach for the PHP language and we evaluated it with
    respect to several real-world applications.",
  usesDaikon = 1,
  downloads = "http://marcocova.net/data/papers/raid07_swaddler.pdf",
  OLDdownloads = "http://www.cs.bham.ac.uk/~covam/data/papers/raid07_swaddler.pdf PDF",
}




@InProceedings{SchulerDZ2009,
  author = 	 "David Schuler and Valentin Dallmeier and Andreas Zeller",
  title = 	 "Efficient mutation testing by checking invariant violations",
  booktitle = ISSTA2009,
  pages = 	 "69--80",
  year = 	 2009,
  address = 	 ISSTA2009addr,
  month = 	 ISSTA2009date,
  abstract =
   "\emph{Mutation testing} measures the adequacy of a test suite by seeding
    artificial defects (mutations) into a program. If a mutation is not
    detected by the test suite, this usually means that the test suite is not
    adequate. However, it may also be that the mutant keeps the program's
    semantics unchanged-and thus cannot be detected by any test. Such
    \emph{equivalent mutants} have to be eliminated manually, which is tedious.
    \par
    We assess the impact of mutations by checking dynamic invariants. In an
    evaluation of our JAVALANCHE framework on seven industrial-size programs,
    we found that mutations that violate invariants are significantly more
    likely to be detectable by a test suite. As a consequence, mutations with
    impact on invariants should be focused upon when improving test
    suites. With less than 3\% of equivalent mutants, our approach provides an
    efficient, precise, and fully automatic measure of the adequacy of a test
    suite.",
  usesDaikon = 1,
  OPTbasefilename = "",
  downloads = "http://www.st.cs.uni-saarland.de/publications/files/schuler-issta-2009.pdf PDF",
  OPTcategory =  "",
  OPTsummary = 	 "",
}
% only 3% are equivalent.


@InProceedings{BaligaGI2008,
  author = 	 "Arati Baliga and Vinod Ganapathy and Liviu Iftode",
  title = 	 "Automatic inference and enforcement of kernel data structure invariants",
  booktitle = ACSAC2008,
  pages = 	 "77--86",
  year = 	 2008,
  address = 	 ACSAC2008addr,
  month = 	 ACSAC2008date,
  abstract =
   "Kernel-level rootkits affect system security by modifying key kernel data
    structures to achieve a variety of malicious goals. While early rootkits
    modified control data structures, such as the system call table and values of
    function pointers, recent work has demonstrated rootkits that maliciously
    modify non-control data structures. Prior techniques for rootkit
    detection fail to identify such rootkits either because they focus solely on
    detecting control data modifications or because they require elaborate,
    manually-supplied specifications to detect modifications of non-control data.
    \par
    This paper presents a novel rootkit detection technique that automatically
    detects rootkits that modify both control and non-control data. The key
    idea is to externally observe the execution of the kernel during a
    training period and hypothesize invariants. These invariants are used
    as specifications of data structure integrity during an enforcement
    phase; violation of these invariants indicates the presence of a rootkit.
    \par
    We present the design and implementation of Gibraltar, a tool that uses
    the above approach to infer and enforce invariants. In experiments, we
    found that Gibraltar can detect rootkits that modify both control and
    non-control data structures, and that its false positive rate and
    monitoring overheads are negligible.",
  usesDaikon =   1,
  OPTbasefilename = "",
  downloads = "http://www.cs.rutgers.edu/~vinodg/papers/acsac2008a/acsac2008a.pdf PDF",
  OPTsupersededby = "",
  OPTcategory =  "",
  OPTsummary = 	 "",
}






@InProceedings{PasareanuMBGBLPP2008,
  author = 	 "Corina S. P\u{a}s\u{a}reanu and Peter C. Mehlitz and David H. Bushnell and Karen Gundy-Burlet and Michael Lowry and Suzette Person and Mark Pape",
  authorASCII =	 "Corina S. Pasareanu and Peter C. Mehlitz and David H. Bushnell and Karen Gundy-Burlet and Michael Lowry and Suzette Person and Mark Pape",
  title = 	 "Combining unit-level symbolic execution and system-level concrete execution for testing {NASA} software",
  booktitle = ISSTA2008,
  pages = 	 "15--25",
  year = 	 2008,
  address = 	 ISSTA2008addr,
  month = 	 ISSTA2008date,
  abstract =
   "We describe an approach to testing complex safety critical software that
    combines unit-level symbolic execution and system-level concrete execution
    for generating test cases that satisfy user-specified testing criteria. We
    have developed Symbolic Java PathFinder, a symbolic execution framework
    that implements a non-standard bytecode interpreter on top of the Java
    PathFinder model checking tool. The framework propagates the symbolic
    information via attributes associated with the program data. Furthermore,
    we use two tech- niques that leverage system-level concrete program
    executions to gather information about a unit’s input to improve the
    precision of the unit-level test case generation.
    \par
    We applied our approach to testing a prototype NASA flight software
    component. Our analysis helped discover a serious bug that resulted in
    design changes to the software.  Although we give our presentation in the
    context of a NASA project, we believe that our work is relevant for other
    critical systems that require thorough testing.",
  downloads = "http://ti.arc.nasa.gov/m/profile/pcorina/papers/fp047-pasareanu.pdf",
  OPTdownloadsnonlocal = "",
  OPTsupersededby = "",
  OPTcategory =  "",
  OPTsummary = 	 "",
}


@Article{BaligaGI2011,
  author = 	 "Arati Baliga and Vinod Ganapathy and Liviu Iftode",
  title = 	 "Detecting kernel-level rootkits using data structure invariants",
  journal = 	 TDSC,
  year = 	 2011,
  volume = 	 8,
  number = 	 5,
  pages = 	 "670--684",
  month = 	 sep # "/" # oct,
  abstract =
   "Rootkits affect system security by modifying kernel data structures to
    achieve a variety of malicious goals. While early rootkits modified control
    data structures, such as the system call table and values of function
    pointers, recent work has demonstrated rootkits that maliciously modify
    noncontrol data. Most prior techniques for rootkit detection have focused
    solely on detecting control data modifications and, therefore, fail to
    detect such rootkits. This paper presents a novel technique to detect
    rootkits that modify both control and noncontrol data. The main idea is to
    externally observe the execution of the kernel during an inference phase
    and hypothesize invariants on kernel data structures. A rootkit detection
    phase uses these invariants as specifications of data structure
    integrity. During this phase, violation of invariants indicates an
    infection. We have implemented Gibraltar, a prototype tool that infers
    kernel data structure invariants and uses them to detect
    rootkits. Experiments show that Gibraltar can effectively detect previously
    known rootkits, including those that modify noncontrol data structures.",
  usesDaikon = 1,
}


%%%
%%% Leonardo Mariani
%%%


@TechReport{MarianiP2003:TR200301,
  author = 	 "Leonardo Mariani and Mauro Pezz{\`e}",
  title = 	 "Behavior capture and test for controlling the quality of
                  component-based integrated systems",
  ITALIANinstitution =  "Universit{\`a} degli Studi di Milano",
  institution =  "University of Milano -- Bicocca",
  year = 	 2003,
  number = 	 "LTA:2003:01",
  address =	 "Milan, Italy",
  supersededby = "MarianiP2003",
  usesDaikon =   1,
  basefilename = "mariani-tr-lta200301",
  downloads =    "http://www.lta.disco.unimib.it/doc/ei/pdf/lta.2003.01.pdf PDF;
		  http://www.lta.disco.unimib.it/doc/ei/ps/lta.2003.01.ps PostScript",
  abstract =
   "Complex systems and tools are often provided in many different
    versions and configurations that are obtained by adding and replacing
    various components. Many components may be used for distinct
    platforms. Unfortunately, behavioral differences among components may
    cause subtle failures difficult to reveal and remove. One of the main
    goals of verification is to check the completeness and compatibility
    of the services provided by the components to reveal possible
    conflicts, thus supporting efficient verification of different tool
    configurations and versions. The use of components in running systems
    produces a lot of useful information about the components' behavior
    that could be used to check for the compatibility between different
    components and between components and embedding systems. Unfortunately
    this information is normally lost. This paper proposes a new
    technique, called Behavior Capture and Test (BCT), that takes
    advantage of this information. We first monitor the system execution
    and capture the essential characteristics of the behavior by means of
    automatic probes. We then use the collected information to verify the
    compatibility of the components when used as part of other systems."
}


@InProceedings{MarianiP2003,
  author = 	 "Leonardo Mariani and Mauro Pezz{\`e}",
  title = 	 "Behavior capture and test for controlling the quality of
                  component-based integrated systems",
  booktitle =	 "Workshop on Tool-Integration in System Development",
  pages =	 "23--28",
  year =	 2003,
  address =	 FSE2003addr,
  month =	 WTISD2003date,
  usesDaikon =   1,
  basefilename = "mariani-tis-2003",
  downloads =    "http://www.lta.disco.unimib.it/lta/uploads/papers/Mariani-BCT-TISD-2003.pdf PDF",
  OLDdownloads =    "http://www.lta.disco.unimib.it/homepage/leonardo.mariani/pdf/tis03.pdf PDF",
  abstract =
   "Complex software systems are seldom designed from scratch; rather they are
    often designed by assembling basic components.  Software tools are not an
    exception: They are often obtained by assembling simple tools that provide
    basic functionality. From the verification viewpoint, basic tools do not
    differ from components: in both cases they can be seen as black box
    elements that provide a set of services for the embedding system or
    tool. Complex systems and tools are often provided in many different
    versions and configurations that are obtained by adding and replacing
    various components. Let us consider for example a complex CASE tool that
    runs on several platforms and is distributed in various versions for
    different user profiles. Many graphics and system components may be used
    for distinct platforms. For instance, the simple configurations distributed
    free-of-charge may include only a simple set of basic tools, while the
    educational and the professional editions may include a wider set of basic
    tools that provide extended functionality. Unfortunately, behavioral
    differences among components may cause subtle failures difficult to reveal
    and remove. On of the main goals of verification is to check the
    completeness and compatibility of the services provided by the components
    to reveal possible conflicts, thus supporting efficient verification of
    different tool configurations and versions.",
}


@InProceedings{MarianiP2004,
  author = 	 "Leonardo Mariani and Mauro Pezz{\`e}",
  title = 	 "A technique for verifying component-based software",
  booktitle =	 TACOS2004,
  pages = 	 "17--30",
  year =	 2004,
  address =	 TACOS2004addr,
  month =	 TACOS2004date,
  usesDaikon =   1,
  basefilename = "mariani-tacos-2004",
  downloads =    "http://www.lta.disco.unimib.it/lta/uploads/papers/Mariani-Verifying-TACoS-2004.pdf PDF",
  OLDdownloads = "http://www.lta.disco.unimib.it/homepage/leonardo.mariani/pdf/tacos04.pdf PDF",
  abstract =
   "Component-based software systems raise new problems for the testing
    community: the reuse of components suggests the possibility of reducing
    testing costs by reusing information about the quality of the software
    components. This paper addresses the problem of testing evolving software
    systems, i.e., systems obtained by modifying and/or substituting some of
    their components. The paper proposes a technique to automatically identify
    behavioral differences between different versions of the system, to deduce
    possible problems from inconsistent behaviors. The approach is based on the
    automatic distilling of invariants from in-field executions. The computed
    invariants are used to monitor the behavior of new components, and to
    reveal unexpected interactions. The event generated while monitoring system
    executions are presented to software engineers who can infer possible
    problems of the new versions.",
}


@TechReport{Mariani2003,
  author = 	 "Leonardo Mariani",
  title = 	 "Behavior capture and test for verifying evolving
                  component-based systems",
  ITALIANinstitution =  "Universit{\`a} degli Studi di Milano",
  institution =  "University of Milano -- Bicocca",
  year = 	 2003,
  number = 	 "LTA:2003:03",
  address =	 "Milan, Italy",
  usesDaikon =   1,
  supersededby = "Mariani2004:ICSEPhD",
  downloads =    "http://www.lta.disco.unimib.it/doc/ei/pdf/lta.2003.03.pdf PDF;
		  http://www.lta.disco.unimib.it/doc/ei/ps/lta.2003.03.ps PostScript",
  basefilename = "mariani-tr-lta200303",
  abstract =
   "Component-Based System (CBS) technology supports rapid development of
    complex heterogeneous evolving systems by enhancing reuse and
    adaptability. CBSs can be extended and adapted by modifying one or more
    components. The same component can be used in several systems, and the same
    system can be deployed in many configurations that differ for some
    components. Traditional test and analysis techniques make little use of
    quality information about components and subsystems when testing the whole
    system. Thus, reusability for quality assessment and reduction of quality
    related costs are not fully exploited.
    \par
    Moreover, verification of CBSs is hardened by the frequent lack of
    information about components that are provided by third parties without
    source code and with incomplete documentation. This framework reduces the
    applicability of many traditional testing and analysis techniques for
    CBSs. Main goal of my PhD research is the definition and experimentation
    of test and analysis techniques that allow to efficiently test CBSs in
    presence of limited information about design and code by reusing behavioral
    information that can be gathered from previous usage of the components.",
}


@InProceedings{Mariani2004:ICSEPhD,
  author = 	 "Leonardo Mariani",
  title = 	 "Behavior capture and test for verifying evolving component-based systems",
  booktitle =	 "ICSE 2004 Doctoral Symposium",
  pages =	 "78--80",
  year =	 2004,
  address =	 ICSE2004addr,
  month =	 ICSE2004DSdate,
  supersededby = "Mariani2005:PhD",
  usesDaikon =   1,
  basefilename = "mariani-icse-2004",
  downloads =    "http://www.lta.disco.unimib.it/homepage/leonardo.mariani/pdf/icse04.pdf PDF",
  abstract =
   "Component-Based System (CBS) technology supports rapid development of
    complex heterogeneous evolving systems by enhancing reuse and
    adaptability. CBSs can be extended and adapted by modifying one or more
    components. The same component can be used in several systems, and the same
    system can be deployed in many configurations that differ for some
    components. Traditional test and analysis techniques make little use of
    quality information about components and subsystems when testing the whole
    system.  Thus, reusability for quality assessment and reduction of quality
    related costs are not fully exploited.
    \par
    Moreover, verification of CBSs is hardened by the frequent lack of
    information about components that are provided by third parties without
    source code and with incomplete documentation. This framework reduces the
    applicability of many traditional testing and analysis techniques for
    CBSs. Main goal of my PhD research is the definition and experimentation of
    testing and analysis techniques that allow to efficiently test CBSs in
    presence of limited information about design and code by reusing behavioral
    information that can be gathered from previous usage of the components.",
}


@TechReport{Mariani2004:TR200401,
  author = 	 "Leonardo Mariani",
  title = 	 "Capturing and synthesizing the behavior of
                  component-based systems",
  ITALIANinstitution =  "Universit{\`a} degli Studi di Milano",
  institution =  "University of Milano -- Bicocca",
  year = 	 2004,
  number = 	 "LTA:2004:01",
  address =	 "Milan, Italy",
  month =        feb # "~18,",
  usesDaikon =   1,
  basefilename = "mariani-tr-lta200401",
  OLDdownloads =    "http://www.lta.disco.unimib.it/doc/ei/pdf/lta.2004.01.pdf PDF;
		  http://www.lta.disco.unimib.it/doc/ei/ps/lta.2004.01.ps PostScript",
  abstract =
   "Component-based system (CBS) technology facilitates flexibility: systems
    can be adapted, modified, and updated by adding, removing, and changing
    their components. Adding or modifying components require testing the
    components added or modified as well as all components that depend from
    them. Modifying components can introduce dangerous side effects that are
    difficult to predict, thus, in principle, we need to retest the whole
    system. Re-testing the whole system may be extremely expensive and sometimes
    not even possible. Testing effort can be reduced by selecting a subset of
    tests using either regression testing techniques (see for instance, [RH97,
    JH03]) or dependence analysis techniques (see for instance [SW01,
    SHR99]). Testing effort can also be reduced with run-time verification
    techniques that can partially substitute traditional testing (see for
    instance [HR02]).
    \par
    This work consists on a technique reducing testing costs for CBSs. The
    approach, called Behavior Capture and Test (BCT), effectively combines
    run-time monitoring, run-time verification, and testing. We use run-time
    monitoring to gather data about single executions. The collected data are
    then used to automatically derive behavioral properties of the components
    and the system. The inferred properties are used for run-time verification,
    while single executions are used as regression test cases. BCT can be used
    to automatically verify the integration of components that have been used
    in the same or in other systems, which is a very frequent case in
    component-based development.
    \par
    In this report we focus on verification of component-based systems, thus we
    will not address testing and automatic derivation of test suites."
}


@PhdThesis{Mariani2005:PhD,
  author = 	 "Leonardo Mariani",
  title = 	 "Behavior Capture and Test: Dynamic Analysis of Component-Based Systems",
  ITALIANschool =  "Universit{\`a} degli Studi di Milano Bicocca",
  school =       "University of Milano -- Bicocca",
  year = 	 2005,
  address =	 "Milan, Italy",
  usesDaikon =   1,
  basefilename = "mariani-phd-2005",
  NOdownloads =  "",
}





@InCollection{ColinM2005,
  author = 	 "Severine Colin and Leonardo Mariani",
  title = 	 "Run-time verification",
  booktitle = 	 "Model-based Testing of Reactive Systems",
  publisher = 	 "Springer-Verlag",
  year = 	 2005,
  OMITeditor =	 "Manfred Broy and Bengt Jonsson and Joost-Pieter Katoen
                  and Martin Leucker and Alexander Pretschner",
  volume =	 3472,
  series =	 LNCS,
  pages =	 "525--555",
  basefilename = "colin-rtv-2005",
  downloads =    "http://dx.doi.org/10.1007/11498490_24 PDF",
  abstract =
   "This chapter has no abstract.",
}


@InProceedings{DenaroMPT2005,
  author = 	 "Giovanni Denaro and Leonardo Mariani and Mauro Pezz{\`e}
                  and Davide Tosi",
  title = 	 "Adaptive runtime verification for autonomic communication
                  infrastructures",
  booktitle =	 "Workshop on Autonomic Communications and Computing",
  pages = 	 "553--557",
  year =	 2005,
  address =	 "Taormina, Italy",
  month =	 jun # "~13,",
  usesDaikon =   1,
  basefilename = "denaro-acc-2005",
  downloads =    "http://www.lta.disco.unimib.it/lta/uploads/papers/Denaro-Adaptive-WOWMOM-2005.pdf PDF",
  OLDdownloads =    "http://www.lta.disco.unimib.it/homepage/leonardo.mariani/pdf/wowmom05.pdf PDF",
  abstract =
   "Autonomic communication and autonomic computing can solve many problems in
    managing complex network and computer systems, as well as network
    applications, where computing and networking co-exist.  Autonomic
    applications must be able to automatically diagnose and repair their own
    faults. In particular they must be able to monitor the execution state,
    understand the behavior of the application and of the executing
    environment, and interpret monitored data to identify faults and select a
    repairing strategy.
    \par
    Assertions have been extensively studied in software engineering for
    identifying deviations from the expected behaviors and thus signal
    anomalous outcomes. Unfortunately, classic assertions are defined
    statically at development time and cannot capture unpredictable changes and
    evolutions in the execution environment.  Thus they do not easily adapt to
    autonomic applications.
    \par
    This paper proposes a method for the automatic synthesis and adaptation of
    assertions from the observed behavior of an application, aimed at achieving
    adaptive application monitoring.  We believe that this represents an
    important basis to derive autonomic mechanisms that can deal with
    unpredictable situations."
}


@InProceedings{MarianiP2005,
  author = 	 "Leonardo Mariani and Mauro Pezz{\`e}",
  title = 	 "Behavior capture and test: Automated analysis of component integration",
  booktitle =	 ICECCS2005,
  pages = 	 "292--301",
  year =	 2005,
  address =	 ICECCS2005addr,
  month =	 ICECCS2005date,
  usesDaikon =   1,
  basefilename = "mariani-eccs-2005",
  downloads =    "http://www.lta.disco.unimib.it/lta/uploads/papers/Mariani-BCT-ICECCS-2005.pdf PDF",
  OTHERdownloads =    "http://doi.ieeecomputersociety.org/10.1109/ICECCS.2005.25 DOI",
  OLDdownloads = "http://www.lta.disco.unimib.it/homepage/leonardo.mariani/pdf/iceccs05.pdf PDF",
  abstract =
   "Component-based technology is increasingly adopted to speed up the
    development of complex software through component reuse.  Unfortunately,
    the lack of complete information about reused components, and the complex
    interaction patterns among components can lead to subtle problems that
    throw new verification challenges.  Good components are often re-used many
    times, sometimes within product lines, in other cases across different
    products. The reuse of components provides a lot of information that could
    be useful for verification.  In this paper, we show how to automatically
    analyze component interactions by collecting information about components'
    behavior during testing and field execution, and then using the collected
    information for checking the compatibility of components when updated or
    reused in new products.  The paper illustrates the main problems in
    developing the idea, proposes original solutions, and presents a
    preliminary experience that illustrates the effectiveness of the approach.",
}


@InProceedings{LorenzoliMP2006,
  author = 	 "Davide Lorenzoli and Leonardo Mariani and Mauro Pezz{\`e}",
  title = 	 "Inferring state-based behavior models",
  booktitle =    WODA2006,
  year = 	 2006,
  address = 	 WODA2006addr,
  month = 	 WODA2006date,
  supersededby = "LorenzoliMP2008",
  usesDaikon =   1,
  downloads =    "http://www.lta.disco.unimib.it/lta/uploads/papers/lorenzoliEtAl-WODA-2006.pdf PDF",
  OLDdownloads =    "http://www.lta.disco.unimib.it/homepage/leonardo.mariani/pdf/woda06.pdf PDF",
  abstract =
   "Dynamic analysis helps to extract important information
    about software systems useful in testing, debugging and
    maintenance activities. Popular dynamic analysis techniques
    synthesize either information on the values of the variables
    or information on relations between invocation of methods.
    Thus, these approaches do not capture the important relations
    that exist between data values and invocation sequences.
    \par
    In this paper, we introduce a technique, called GK-tail,
    for generating models that represent the interplay between
    program variables and method invocations. GK-tail extends
    the k-tail algorithm for extracting finite state automata from
    execution traces, to the case of finite state automata with
    parameters.
    \par
    The paper presents the technique and the results of some
    preliminary experiments that indicate the potentialities of
    the proposed approach.",
}


@InProceedings{LorenzoliMP2008,
  author = 	 "Davide Lorenzoli and Leonardo Mariani and Mauro Pezz\`{e}",
  authorASCII =  "Davide Lorenzoli and Leonardo Mariani and Mauro Pezze",
  title = 	 "Automatic generation of software behavioral models",
  booktitle = ICSE2008,
  pages = 	 "501--510",
  year = 	 2008,
  address = 	 ICSE2008addr,
  month = 	 ICSE2008date,
  usesDaikon = 1,
  downloads =    "http://www.lta.disco.unimib.it/lta/uploads/papers/lorenzoliEtAl-WODA-2006.pdf PDF",
  abstract =
   "Dynamic analysis of software systems produces behavioral models that are
    useful for analysis, verification and testing.
    \par
    The main techniques for extracting models of functional behavior generate
    either models of constraints on data, usually in the form of Boolean
    expressions, or models of interactions between components, usually in the
    form of finite state machines. Both data and interaction models are useful
    for analyzing and verifying different aspects of software behavior, but
    none of them captures the complex interplay between data values and
    components interactions. Thus related analysis and testing techniques can
    miss important information.
    \par
    In this paper, we focus on the generation of models of relations between
    data values and component interactions, and we present GK-tail, a technique
    to automatically generate extended finite state machines (EFSMs) from
    interaction traces. EFSMs model the interplay between data values and
    component interactions by annotating FSM edges with conditions on data
    values. We show that EFSMs include details that are not captured by either
    Boolean expressions or (classic) FSM alone, and allow for more accurate
    analysis and verification than separate models, even if considered jointly.",
}




@InProceedings{LorenzoliMP2007,
  author = 	 "Davide Lorenzoli and Leonardo Mariani and Mauro Pezz\`{e}",
  authorASCII =  "Davide Lorenzoli and Leonardo Mariani and Mauro Pezze",
  title = 	 "Towards self-protecting enterprise applications",
  booktitle = ISSRE2007,
  pages = 	 "39--48",
  year = 	 2007,
  address = 	 ISSRE2007addr,
  month = 	 ISSRE2007date,
  usesDaikon = 1,
  downloads = "http://www.lta.disco.unimib.it/lta/uploads/papers/lorenzoliEtAl-ISSRE-2007.pdf PDF",
  abstract =
   "Enterprise systems must guarantee high availability and reliability to
    provide 24/7 services without interruptions and failures. Mechanisms for
    handling exceptional cases and implementing fault tolerance techniques can
    reduce failure occurrences, and increase dependability. Most of such
    mechanisms address major problems that lead to unexpected service
    termination or crashes, but do not deal with many subtle domain dependent
    failures that do not necessarily cause service termination or crashes, but
    result in incorrect results.
    \par
    In this paper, we propose a technique for developing self-protecting
    systems. The technique proposed in this paper observes values at relevant
    program points. When the technique detects a software failure, it uses the
    collected information to identify the execution contexts that lead to the
    failure, and automatically enables mechanisms for preventing future
    occurrences of failures of the same type. Thus, failures do not occur again
    after the first detection of a failure of the same type."
}



@Article{MarianiP2007,
  author = 	 "Leonardo Mariani and Mauro Pezz{\`e}",
  authorASCII =  "Leonardo Mariani and Mauro Pezze",
  title = 	 "Dynamic detection of {COTS} component incompatibility",
  journal = 	 IEEESoftware,
  year = 	 2007,
  volume = 	 24,
  number = 	 5,
  pages = 	 "76--85",
  month = 	 sep # "/" # oct,
  usesDaikon = 1,
  downloads = "http://www.lta.disco.unimib.it/lta/uploads/papers/Mariani-COTS-IEEES-2007.pdf PDF",
  abstract =
   "The development of COTS-based systems shifts the focus of testing and
    verification from single components to component integration. Independent
    teams and organizations develop COTS components without referring to
    specific systems or interaction patterns. Developing systems that reuse
    COTS components (even high-quality ones) therefore presents new
    compatibility problems. David Garlan, Robert Allen, and John Ockerbloom
    (1995) reported that in their experience, integrating four COTS components
    took 10 person-years (rather than the one planned person-year), mainly
    because of integration problems. According to Barry Boehm and Chris Abts
    (1999), three of the four main problems with reusing COTS products are
    absence of control over their functionality, absence of control over their
    evolution, and lack of design for interoperability. Our proposed technique,
    called behavior capture and test, detects COTS component incompatibilities
    by dynamically analyzing component behavior. BCT incrementally builds
    behavioral models of components and compares them with the behavior the
    components display when reused in new contexts. This lets us identify
    incompatibilities, unexpected interactions, untested behaviors, and
    dangerous side effects.",
}



%%%
%%% Diego Garbervetsky
%%%


@TechReport{BrabermanGY2004,
  author = 	 "V{\'\i}ctor Braberman and Diego Garbervetsky and Sergio Yovine",
  authorASCII =  "Victor Braberman",
  title = 	 "On synthesizing parametric specifications of dynamic
                  memory utilization",
  institution =  "VERIMAG",
  year = 	 2004,
  number =	 "2004-03",
  NEEDaddress = 	 "",
  NEEDmonth = 	 "",
  supersededby = "BrabermanGY2005",
  usesDaikon =   1,
  basefilename = "braberman-tr-2004",
  downloads =
   "http://www.dc.uba.ar/people/exclusivos/garbervetsky/reportes/BGY_memory2003.pdf PDF;
    http://www.dc.uba.ar/people/exclusivos/garbervetsky/reportes/BGY_memory2005.pdf PDF update 2005",
  abstract =
   "We present a static analysis approach for estimating the amount of memory
    dynamically allocated by a piece of code.  The technique is suitable for
    imperative languages with high-level memory management mechanisms like Java
    and resorts to ideas that come from the community of parallel computing and
    the field of pointer escape analysis.
    \par
    Firstly, we propose a general procedure for synthesizing a parametric
    specification which over-estimates the amount of memory allocated by a
    program method in terms of its parameters. Then, we introduce a series of
    extensions to deal with the problem of estimating memory consumption in a
    scoped-memory management setting.
    \par
    The proposed techniques can be used to predict memory allocation, both
    during compilation and at runtime. Applications are many-fold, from
    improvements in memory management to the generation of parametric
    memory-allocation certificates. These specifications would enable
    application loaders and schedulers to make decisions based on the available
    memory resources and the memory-consumption estimates.",
}

@Misc{BrabermanGY2005:submittedLCTES2005,
  OPTkey = 	 "",
  author = 	 "V{\'\i}ctor Braberman and Diego Garbervetsky and Sergio Yovine",
  authorASCII =  "Victor Braberman",
  title = 	 "Synthesizing parametric specifications of dynamic memory
                  utilization in imperative object-oriented programs",
  OPThowpublished = "",
  OPTmonth = 	 "",
  year = 	 "2005",
  OPTnote = 	 "",
  OPTannote = 	 "",
  abstract =
   "We present a static analysis approach for over-approximating the amount
    of memory dynamically allocated by (Java-like) imperative object-oriented
    programs. We propose a general procedure for synthesizing symbolic
    specifications (actually polynomials) which conservatively estimate memory
    consumption in terms of methods parameters. We have implemented the
    procedure and evaluated it on several benchmarks. Experimental results
    produced exact estimations for most test cases, and quite precise
    approximations for many of the others. We also apply our technique to
    compute usage in the context of scoped memory.",
  TODOusesDaikon =   1,
}


@InProceedings{BrabermanGY2005,
  author = 	 "V{\'\i}ctor Braberman and Diego Garbervetsky and Sergio Yovine",
  authorASCII =  "Victor Braberman",
  title = 	 "Synthesizing parametric specifications of dynamic memory
                  utilization in object-oriented programs",
  booktitle =	 FTFJP2005,
  NEEDpages = 	 "",
  year = 	 2005,
  address =	 FTFJP2005addr,
  month =	 FTFJP2005date,
  abstract =
   "We present a static analysis approach for computing a parametric
    upper-bound of the amount of memory dynamically allocated by (Java-like)
    imperative object-oriented programs. We propose a general procedure for
    synthesizing non-linear formulas (actually polynomials) which
    conservatively estimate memory consumption in terms of method's
    parameters. We have implemented the procedure and evaluated it on several
    benchmarks. Experimental results produced exact estimations for most test
    cases, and quite precise approximations for many of the others.  We also
    apply our technique to compute usage in the context of scoped memory and
    discuss some open issues.",
  usesDaikon =   1,
  basefilename = "braberman-ftfjp-2005",
  downloads =
   "http://www.dc.uba.ar/people/exclusivos/garbervetsky/papers/BGY_FTJP2005.pdf PDF;
    http://www.dc.uba.ar/people/exclusivos/garbervetsky/presentaciones/BGY_MemorySynthesisFTFJP.ppt slides",
}




@TechReport{Garbervetsky2005,
  author = 	 "Diego Garbervetsky",
  title = 	 "Using Daikon to automatically estimate the number of
                  executed instructions",
  institution =  "Universidad De Buenos Aires",
  year = 	 2005,
  NEEDnumber = 	 "",
  address =	 "Argentina",
  month = 	 feb,
  usesDaikon =   1,
  basefilename = "garbervetsky-ir-200502",
  downloads =    "http://www.dc.uba.ar/people/exclusivos/garbervetsky/reportes/BGY_DaikonCount2005.pdf PDF",
  abstract =
   "We present a proof of concept that combines static and dynamic analysis in
    order to obtain symbolic expression that over-approximates the number of
    times an statement is executed in object oriented languages like Java. The
    tool leverages existing dynamic analysis tools like Daikon, but guides it
    (via program instrumentation) in order to obtain linear invariants that,
    after some transformations, are useful to generate the symbolic
    expressions. We show how this tool can be used to over-estimate memory
    consumption in Java applications.",
}






@Article{BrabermanGY2006,
  author = 	 "V{\'\i}ctor Braberman and Diego Garbervetsky and Sergio Yovine",
  authorASCII =  "Victor Braberman",
  title = 	 "A static analysis for synthesizing parametric specifications of dynamic memory consumption",
  journal = 	 JOT,
  year = 	 2006,
  volume = 	 5,
  number = 	 5,
  pages = 	 "31--58",
  month = 	 jun,
  usesDaikon = 1,
  abstract =
   "We present a static analysis for computing a parametric upper-bound of the
    amount of memory dynamically allocated by (Java-like) imperative
    object-oriented programs.  We propose a general procedure for synthesizing
    non-linear formulas which conservatively estimate the quantity of memory
    explicitly allocated by a method as a function of its parameters.  We have
    implemented the procedure and evaluated it on several benchmarks.
    Experimental results produced exact estimations for most test cases, and
    quite precise approximations for many of the others.  We also apply our
    technique to compute usage in the context of scoped memory and discuss some
    open issues.",
  usesDaikon = 1,
  downloads = "http://www.jot.fm/issues/issue_2006_06/article2.pdf PDF",
}


@PhdThesis{Garbervetsky2007,
  author = 	 "Diego Garbervetsky",
  title = 	 "Parametric specification of dynamic memory utilization",
  school = 	 "Univ. of Buenos Aires",
  year = 	 "2007",
  address = 	 "Buenos Aires, Argentina",
  month = 	 nov,
  abstract =
   "Current trends in the embedded and real-time software industry are leading
    towards the use of object-oriented programming languages such as Java.
    From the software engineering perspective, one of the most attractive
    issues in object-oriented design is the encapsulation of abstractions into
    objects that communicate through clearly defined interfaces.
    \par
    However, in order to be able to successfully adopt languages with object
    oriented features like Java in embedded and real-time systems, is necessary
    to solve at least two problems: eliminate execution unpredictability due to
    garbage collection and automatically analyze memory requirements.
    \par
    There has been some work trying to deal with the first problem but the
    problem of computing memory requirements is still challenging. In this
    thesis we present our approach to tackle both problems by presenting
    solutions towards more predictable memory management and predicting memory
    requirements. The effort is mainly focused in the latter problem as we
    found it hard, less explored, strongly relevant for all kinds of embedded
    systems and its applicability and usefulness is beyond real-time
    applications.
    \par
    This thesis presents a series of techniques to automatically compute
    dynamic memory utilization certificates. We start by computing a technique
    that produces parametric specifications of memory allocations without
    consider any memory reclaiming mechanism. Then, we approximate object
    lifetime using escape analysis and synthesize a scoped-based memory
    organization where object are organized in regions that can be collected as
    a whole. We propose a technique to automatically translate conventional
    Java code into code that safely adopts this memory management
    mechanism. Under this new setting we infer parametric specifications of the
    size of each memory regions. Finally, we predict the minimum amount of
    dynamic memory required to run a method (or program) in the context of
    scoped memory management by computing parametric specifications of the size
    of memory regions and by modeling the potential configurations of the
    regions in run time.
    \par
    We develop a prototype tool that implemented the complete chain of
    techniques and allow us to experimentally evaluate the efficiency and
    accuracy of the method on several Java benchmarks. The results are very
    encouraging.",
  usesDaikon = "1",
  downloads = "http://www.dc.uba.ar/people/exclusivos/garbervetsky/thesis/tesis_garbervetsky.pdf PDF",
}




@InProceedings{BrabermanFGY2008,
  author = 	 "Braberman, V{\'\i}ctor and Fern{\'a}ndez, Federico and Garbervetsky, Diego and Yovine, Sergio",
  authorASCII = 	 "Braberman, Victor and Fernandez, Federico and Garbervetsky, Diego and Yovine, Sergio",
  title = 	 "Parametric prediction of heap memory requirements",
  booktitle = ISMM2008,
  pages = 	 "141--150",
  year = 	 2008,
  address = 	 ISMM2008addr,
  month = 	 ISMM2008date,
  usesDaikon = 1,
  downloads = "http://publicaciones.dc.uba.ar/Publications/2008/BFGY08/ISMM103-braberman.pdf PDF",
  abstract =
   "This work presents a technique to compute symbolic polynomial
    approximations of the amount of dynamic memory required to safely execute a
    method without running out of memory, for Java-like imperative programs. We
    consider object allocations and deallocations made by the method and the
    methods it transitively calls. More precisely, given an initial
    configuration of the stack and the heap, the peak memory consumption is the
    maximum space occupied by newly created objects in all states along a run
    from it. We over-approximate the peak memory consumption using a
    scoped-memory management where objects are organized in regions associated
    with the lifetime of methods. We model the problem of computing the maximum
    memory occupied by any region configuration as a parametric polynomial
    optimization problem over a polyhedral domain and resort to Bernstein basis
    to solve it. We apply the developed tool to several benchmarks.",
}


@Misc{SIGSOFT-impact-paper-award-2013,
  author = 	 "SIGSOFT",
  title = 	 "{SIGSOFT} Impact Paper Award",
  howpublished = "\url{http://www.sigsoft.org/awards/ImpactAward.htm}",
  year = 	 2013,
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Testing
%%%



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Machine Learning
%%%


@Article{Quinlan90,
  author = 	 "J. Ross Quinlan",
  title = 	 "Learning logical definitions from relations",
  journal = 	 "Machine Learning",
  year = 	 1990,
  volume =	 5,
  pages =	 "239--266",
  abstract =
   "This paper describes FOIL, a system that learns Horn clauses from data
    expressed as relations.  FOIL is based on ideas that have proved
    effective in attribute-value learning systems, but extends them to a
    first-order formalism.  This new system has been applied successfully to
    several tasks taken from the machine learning literature.",
}


@Article{Coh94-AI:jrnl,
  author =       "William W. Cohen",
  title =        "Grammatically biased learning: Learning logic
                 programs using an explicit antecedent description
                 language",
  journal =      "Artificial Intelligence",
  volume =       "68",
  month =        aug,
  pages =        "303--366",
  year =         "1994",
}




@InProceedings{ch-lcdlter-94,
  author =       "William W. Cohen and Haym Hirsh",
  title =        "Learning the {CLASSIC} Description Logic: Theoretical
                 and Experimental Results",
  editors =      "J. Doyle and E. Sandewall and P. Torasso",
  booktitle =    "Principles of Knowledge Representation and Reasoning:
                 Proceedings of the Fourth International Conference
                 (KR94)",
  publisher =    "Morgan Kaufmann",
  year =         1994,
  pages =	 "121--133",
  address =	 "Bonn, Germany",
}


@InProceedings{kohavi.ea:using-mlc:96,
  author =       "Ron Kohavi and Dan Sommerfield and James Dougherty",
  title =        "Data Mining Using {MLC}++: {A} Machine Learning
                 Library in {C}++",
  booktitle =    "Tools with Artificial Intelligence",
  year =         "1996",
  pages =        "234--245",
  note =         "Received the best paper award",
  url =          "ftp://starry.stanford.edu/pub/ronnyk/mlc96.ps.Z",
  contributedby = "Ronny Kohavi, ronnyk(at)sgi.com",
}


@Manual{KohaviS96,
  title = 	 "MLC++:  Machine Learning Library in C++",
  author =	 "Ronny Kohavi and Dan Sommerfield",
  month =	 oct # "~7,",
  year =	 1996
}



@Book{Mitchell97,
  author = 	 "Tom M. Mitchell",
  title = 	 "Machine Learning",
  publisher = 	 "WCB/McGraw-Hill",
  year = 	 1997,
  series =	 "McGraw-Hill Series in Computer Science",
  address =	 "Boston, MA"
}


@book(russell-ai-text,
  author= 	"Stuart J. Russell and Peter Norvig",
  title= 	{Artificial Intelligence: A Modern Approach},
  publisher= 	{Prentice Hall},
  year= 	1995
)


@Book{LangleySBZ87,
  author =	 "Pat Langley and Herbert A. Simon and Gary L. Bradshaw and
		  Jan M. Zytkow",
  title = 	 "Scientific Discovery: Computational Explorations of the
		  Creative Process",
  publisher = 	 "MIT Press",
  year = 	 1987,
  address =	 "Cambridge, MA"
}


@InProceedings{LNAI482*265,
  author =       "N. Lavrac and S. Dzeroski and M. Grobelnik",
  title =        "Learning Nonrecursive Definitions of Relations with
                 {LINUS}",
  pages =        "265--281",
  ISBN =         "3-540-53816-X",
  editor =       "Y. Kodratoff",
  booktitle =    "Proceedings of the European Working Session on
                 Learning : Machine Learning ({EWSL}-91)",
  address =      "Porto, Portugal",
  month =        mar,
  year =         1991,
  series =       "LNAI",
  volume =       482,
  publisher =    "Springer Verlag",
}

@InProceedings{cd-csilpms-97,
  author =       "William W. Cohen and Prem Devanbu",
  title =        "A comparative study of inductive logic programming
                 methods for software fault prediction",
  booktitle =    ICML97,
  address =      ICML97addr,
  month =        ICML97date,
  OMITpublisher =    "Morgan Kaufmann",
  year =         "1997",
  pages =        "66--74",
  abstract =
   "We evaluate inductive logic programming (ILP) methods for predicting fault
    density in C++ classes.  In this problem, each training example is a C++
    class definition, represented as a calling tree, and labeled as
    ``positive'' iff faults (i.e., errors) were discovered in its
    implementation.  We compare two ILP systems, FOIL and FLIPPER, and explore
    the reasons for their differing performance, using both natural and
    artificial data.  We then propose two extensions to FLIPPER:  a
    user-directed bias towards easy-to-evaluate clauses, and an extension that
    allows FLIPPER to learn ``counting clauses''.  Counting clauses augment
    logic programs with a variation of the ``number restrictions'' used in
    description logics, and significantly improve performance on this problem
    when prior knowledge is used.",
}


@Book{Cypher93,
  editor =       "Allen Cypher and Daniel C. Halbert and David Kurlander
                 and Henry Lieberman and David Maulsby and Brad A. Myers
                 and Alan Turransky",
  title =        "Watch What {I} Do: Programming by Demonstration",
  IGNOREpages =  "672",
  publisher =    "MIT Press",
  address =      "Cambridge, MA",
  year =         "1993",
  mrnumber =     "E.Cypher.93",
  ISBN =         "0-262-03213-9",
  contents =     "(not listed)",
}


@InProceedings{ijcai91*665,
  author =       "Haym Hirsh",
  title =        "Theoretical Underpinnings of Version Spaces",
  pages =        "665--670",
  ISBN =         "1-55860-160-0",
  booktitle =    IJCAI91,
  address =      IJCAI91addr,
  month =        IJCAI91date,
  year =         "1991",
}


@InProceedings{LauDW2000,
  author = 	 "Tessa Lau and Pedro Domingos and Daniel S. Weld",
  title = 	 "Version Space Algebra and its Application to Programming by Demonstration",
  booktitle = 	 ICML,
  year =	 2000,
  pages =	 "527--534",
  address =	 "Stanford, CA",
  month =	 jun
}


@InProceedings{LauDW2003,
  author = 	 "Tessa Lau and Pedro Domingos and Daniel S. Weld",
  title = 	 "Learning Programs from Traces Using Version Space Algebra",
  booktitle =	 "K-CAP 2003:  Second International Conference on Knowledge
                  Capture",
  pages =	 "36--43",
  year =	 2003,
  address =	 "Florida, USA",
  month =	 oct # "~23--26,",
}


@phdthesis(mitchell-thesis,
	author=	"Mitchell, Tom M.",
	year=	1978,
	title=	{Version Spaces: An Approach to Concept Learning},
  	school= 	"Department of Computer Science, Stanford University",
  	month= 	dec,
	address=	"Stanford, CA",
	note=   "Stanford University Technical Report, HPP-79-2"
)


@Book{Salton68,
  author =	 "Gerard Salton",
  title = 	 "Automatic Information Organization and Retrieval",
  publisher = 	 "McGraw-Hill",
  year = 	 1968
}

@Book{vanRijsbergen79,
  author =	 "Cornelis Joost van Rijsbergen",
  title = 	 "Information Retrieval",
  publisher = 	 "Butterworths",
  year = 	 1979,
  address =	 "London",
  edition =	 "Second"
}




@InProceedings{Shapiro:acm:popl:1982,
  author =       "Ehud Y. Shapiro",
  title =        "Algorithmic Program Diagnosis",
  booktitle =    "Conference Record of the Ninth Annual {ACM} Symposium
                 on Principles of Programming Languages",
  organization = "ACM",
  publisher =    "ACM",
  month =        jan,
  year =         "1982",
  checked =      "19940215",
  pages =        "299--308",
  abstract =     "The notion of program correctness with respect to an
                 interpretation is defined for a class of programming
                 languages. Under this definition, if a program
                 terminates with an incorrect output then it contains an
                 incorrect procedure. Algorithms for detecting incorrect
                 procedures are developed. These algorithms formalize
                 what experienced programmers know already. A logic
                 program implementation of these algorithms is
                 described. Its performance suggests that the algorithms
                 can be the backbone of debugging aids that go far
                 beyond what is offered by current programming
                 environments. Applications of algorithmic debugging to
                 automatic program construction are explored.",
}

@PhdThesis{SHAPIRO82A,
  key =          "Shapiro",
  author =       "Ehud Y. Shapiro",
  title =        "Algorithmic Program Debugging",
  school =       "Yale University",
  month =        may,
  year =         "1982",
  keywords =     "foundations; debugging; induction",
  bibdate =      "Thu Nov 3 11:54:59 1983",
}

@InProceedings{Shapiro:1981,
  author =       "Ehud Y. Shapiro",
  year =         1981,
  title =        "An algorithm that infers theories from facts",
  booktitle =    "Proceedings of the Seventh International Joint
                 Conference on Artificial Intelligence (IJCAI-81)",
  pages =        "446--451",
  address =      "Vancouver, BC",
  month =        aug
}

@InProceedings{Shapiro:1981:MIS,
  author =       "Ehud Y. Shapiro",
  year =         1981,
  title =        "The {Model} {Inference} {System}",
  booktitle =    "Proceedings of the Seventh International Joint
                 Conference on Artificial Intelligence (IJCAI-81)",
  pages =        1064,
  address =      "Vancouver, BC",
  month =        aug
}


@Book{Shapiro83,
  author =       "Ehud Y. Shapiro",
  title =        "Algorithmic Program Debugging",
  publisher =    "MIT Press",
  address =      "Cambridge, MA",
  year =         1983,
  keyword =      "logic programming, testing",
}



@InProceedings{1988:pdd:lichtenstein,
  author =       "Yossi Lichtenstein and Ehud Shapiro",
  title =        "Concurrent Algorithmic Debugging",
  booktitle =    "Proceedings of the {ACM} {SIGPLAN} and {SIGOPS}
                 Workshop on Parallel and Distributed Debugging",
  year =         "1988",
  pages =        "248--260",
  genterms =     "ALGORITHMS, THEORY",
  categories =   "D.2.5 Software, SOFTWARE ENGINEERING, Testing and
                 Debugging, Diagnostics. C.2.4 Computer Systems
                 Organization, COMPUTER-COMMUNICATION NETWORKS,
                 Distributed Systems, Distributed applications.",
  annote =       "incomplete",
}

@Article{Lichtenstein:1989:CAD,
  author =       "Yossi Lichtenstein and Ehud Shapiro",
  title =        "Concurrent algorithmic debugging",
  journal =      "ACM SIG{\-}PLAN Notices",
  volume =       "24",
  number =       "1",
  pages =        "248--260",
  month =        jan,
  year =         "1989",
  coden =        "SINODQ",
  ISSN =         "0362-1340",
  bibdate =      "Sat Aug 13 17:16:20 MDT 1994",
  keywords =     "algorithms; theory",
  subject =      "D.2.5 Software, SOFTWARE ENGINEERING, Testing and
                 Debugging, Diagnostics \\ C.2.4 Computer Systems
                 Organization, COMPUTER-COMMUNICATION NETWORKS,
                 Distributed Systems, Distributed applications",
}



@Article{Agrawal+Gehrke+Gunopulos+Raghavan+1998a,
  author =       "Rakesh Agrawal and Johannes Gehrke and Dimitrios
                 Gunopulos and Prabhakar Raghavan",
  title =        "Automatic Subspace Clustering of High Dimensional Data
                 for Data Mining Applications",
  pages =        "94--105",
  editor =       "Laura M. Haas and Ashutosh Tiwary",
  journal =      "SIGMOD Record: Proc. ACM SIGMOD Int. Conf. Management
                 of Data",
  location =     "Seattle, Washington, U.S.A.",
  month =        jun # "~2--4,",
  year =         "1998",
  volume =       "27",
  number =       "2",
  pubmonth =     jun,
  pubyear =      "1998",
  abstract =     "Data mining applications place special requirements on
                 clustering algorithms including: the ability to find
                 clusters embedded in subspaces of high dimensional
                 data, scalability, end-user comprehensibility of the
                 results, non-presumption of any canonical data
                 distribution, and insensitivity to the order of input
                 records. We present CLIQUE, a clustering algorithm that
                 satisfies each of these requirements. CLIQUE identifies
                 dense clusters in subspaces of maximum dimensionality.
                 It generates cluster descriptions in the form of DNF
                 expressions that are minimized for ease of
                 comprehension. It produces identical results
                 irrespective of the order in which input records are
                 presented and does not presume any specific
                 mathematical form for data distribution. Through
                 experiments, we show that CLIQUE efficiently finds
                 accurate clusters in large high dimensional datasets.",
  pdf-url =      "http://www.almaden.ibm.com/cs/quest/papers/sigmod98_clique.pdf",
  postscript-url = "http://www.almaden.ibm.com/cs/quest/papers/sigmod98_clique.ps",
  postscript-url = "http://www.almaden.ibm.com/cs/people/ragrawal/papers/sigmod98_clique.ps",
  postscript-url = "http://www.cs.wisc.edu/~johannes/papers/sigmod98_clique.ps",
  pdf-doc =      "00000784.pdf",
  postscript-doc = "00000785.ps",
}


@InProceedings{CherniavskyVS88,
 author = {John C. Cherniavsky and Mahendran Velauthapillai and Richard Statman},
 title= {Inductive inference: an abstract approach},
 booktitle = {Proceedings of the first annual workshop on Computational learning theory},
 year = 1988,
 ISBN = {0-55869-019-5},
 pages = {251--266},
 location = {MIT, Cambridge, Massachusetts, United States},
 publisher = {Morgan Kaufmann Publishers Inc.},
 }

@InProceedings{AnthonyBCST92,
 author = {Martin Anthony and Graham Brightwell and Dave Cohen and John Shawe-Taylor},
 title= {On exact specification by examples},
 booktitle = {Proceedings of the fifth annual workshop on Computational learning theory},
 year = 1992,
 ISBN = {0-89791-497-X},
 pages = {311--318},
 location = {Pittsburgh, Pennsylvania, United States},
 doi = {http://doi.acm.org/10.1145/130385.130420},
 publisher = {ACM Press},
 abstract =
   "Some recent work [7, 14, 15] in computational learning theory has discussed
    learning in situations where the teacher is helpful, and can choose to
    present carefully chosen sequences of labelled examples to the learner. We
    say a function t in a set H of functions (a hypothesis space) defined on a
    set X is specified by S***X if the only function in H which agrees with t
    on S is t itself. The specification number &sgr;(t) of t is the least
    cardinality of such an S. For a general hypothesis space, we show that the
    specification number of any hypothesis is at least equal to a parameter from
    [14] known as the testing dimension of H. We investigate in some detail the
    specification numbers of hypotheses in the set Hn of linearly separable
    boolean functions: We present general methods for finding upper bounds on
    &sgr;(t) and we characterise those t which have largest &sgr;(t). We obtain
    a general lower bound on the number of examples required and we show that
    for all nested hypotheses, this lower bound is attained. We prove that for
    any t &egr; Hn, there is exactly one set of examples of minimal cardinality
    (i.e., of cardinality &sgr;(t)) which specifies t. We then discuss those t
    &egr; Hn which have limited dependence, in the sense that some of the
    variables are redundant (i.e., there are irrelevant attributes), giving
    tight upper and lower bounds on &sgr;(t) for such hypotheses. In the final
    section of the paper, we address the complexity of computing specification
    numbers and related parameters.",
 }





%%%
%%% Programmer's Apprentice
%%%



@Article{Rich:1988:PAR,
  author =       "Charles Rich and Richard C. Waters",
  title =        "The {P}rogrammer's {A}pprentice: A research overview",
  journal =      "IEEE Computer",
  volume =       21,
  number =       11,
  pages =        "10--25",
  month =        nov,
  year =         1988,
  coden =        "CPTRB4",
  ISSN =         "0018-9162",
  bibdate =      "Sat Sep 14 07:29:35 MDT 1996",
  affiliation =  "Artificial Intelligence Lab., MIT, Cambridge, MA,
                 USA",
  classification = "C6115 (Programming support); C6170 (Expert
                 systems)",
  keywords =     "Knowledge based system; Programmer's Apprentice;
                 Programming; Programming environments",
  thesaurus =    "Knowledge based systems; Programming environments",
}


@Article{1978:tse:rich,
  title =        "Initial Report on a {L}isp Programmer's Apprentice",
  author =       "Charles Rich and Howard E. Shrobe",
  pages =        "456--467",
  journal =      TSE,
  ISSN =         "0098-5589",
  year =         "1978",
  volume =       "4",
  month =        nov,
  number =       "6",
  annote =       "incomplete",
}

@InProceedings{ijcai81*1044,
  author =       "Charles Rich",
  title =        "A Formal Representation for Plans in the Programmers
                 Apprentice",
  pages =        "1044--1052",
  ISBN =         "1-86576-059-4",
  editor =       "Patrick J. Hayes",
  booktitle =    "Proceedings of the 7th International Joint Conference
                 on Artificial Intelligence ({IJCAI} '81)",
  month =        aug # "~24--28",
  publisher =    "William Kaufmann",
  address =      "Los Altos, CA",
  year =         "1991",
}

@Article{RichWaters88,
  key =          "Rich \&{} Waters",
  author =       "Charles Rich and Richard C. Waters",
  title =        "Automatic Programming: Myths and Prospects",
  journal =      "IEEE Computer",
  pages =        "40--51",
  volume =       "21",
  number =       "8",
  month =        aug,
  year =         "1988",
  location =     "CMU E \&{} S Library",
}

@Article{rich.wills:recognizing,
  author =       "Charles Rich and Linda M. Wills",
  title =        "Recognizing a Program's Design: {A} Graph-Parsing
                 Approach",
  journal =      "IEEE Software",
  year =         "1990",
  volume =       "7",
  number =       "1",
  pages =        "82--89",
  month =        jan,
  note =         "In this paper it is assumed that most programmers use
                 similar structures to program. Such so-called cliches
                 can be recognized automatically and can then be used to
                 generate the documentation of the program",
  class =        "Software_Reverse_Engineering, Reverse_Design,
                 Knowledge-Based_Concept_Assignment,
                 Program_Plan_Assignment_by_Parsing, Recognizer",
}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Software (primarily machine learning software)
%%%














@Misc{Cubist1998,
  author =	 "{RuleQuest Research}",
  title =	 "Data Mining with {C}ubist",
  howpublished = "\url{http://www.rulequest.com/cubist-info.html}",
  year =	 1998
}




@Misc{FOIL6.4,
  author =	 "J. Ross Quinlan and Mike Cameron-Jones",
  title =	 "{FOIL} 6.4",
  howpublished = "\url{ftp://ftp.cs.su.oz.au/pub/}",
  month =	 feb # "~5,",
  year =	 1996
}






@InProceedings{USENIX98*167,
  author =       "Geoff A. Cohen and Jeffrey S. Chase and David L.
                 Kaminsky",
  title =        "Automatic Program Transformation with {JOIE}",
  pages =        "167--178",
  ISBN =         "1-880446-94-4",
  booktitle =    "Proceedings of the {USENIX} 1998 Annual Technical
                 Conference",
  month =        jun # "~15--19,",
  publisher =    "USENIX Association",
  address =      "Berkeley, CA",
  year =         "1998",
}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Formal specifications
%%%


@Book{Gries81,
  author =       "David Gries",
  title =        "The Science of Programming",
  publisher =    "Springer-Verlag",
  address =      "New York",
  year =         1981,
}


@TechReport{CORNELLCS//TR82-498,
  type =         "Technical Report",
  number =       "TR82-498",
  title =        "The Science of Programming Answer Book",
  year =         1982,
  month =        jun,
  institution =  "Cornell University, Computer Science Department",
  pages =        45,
  author =       "David Gries",
  language =     "English",
  annote =       "Includes errata. 1 reference.",
  notes =        "Please contact David Gries, 4130 Upson Hall, Cornell
                 University, Ithaca, NY 14853 for a copy of this
                 technical report.",
}


@Book{Dromey89,
  author =	 "Geoff Dromey",
  title = 	 "Program Derivation:  The Development of Programs From Specifications",
  publisher = 	 "Addison-Wesley",
  year = 	 1989,
  address =	 "Sydney, Australia"
}


@Book{ChandyM88,
  author =       "K. Mani Chandy and Jayadev Misra",
  title =        "Parallel Program Design: A Foundation",
  publisher =    "Addison-Wesley",
  year =         "1988",
  address =      "Reading, MA",
  keyword =      "UNITY"
}


@Article{Clarke:1996:FMS,
  author =       "Edmund M. Clarke and Jeannette M. Wing and Rajeev Alur
                 and Rance Cleaveland and David Dill and Allen Emerson
                 and Stephen Garland and Steven German and John Guttag
                 and Anthony Hall and Thomas Henzinger and Gerard
                 Holzmann and Cliff Jones and Robert Kurshan and Nancy
                 Leveson and Kenneth McMillan and J. Moore and Doron
                 Peled and Amir Pnueli and John Rushby and Natarajan
                 Shankar and Joseph Sifakis and Prasad Sistla and
                 Bernhard Steffen and Pierre Wolper and Jim Woodcock and
                 Pamela Zave",
  title =        "Formal methods: state of the art and future
                 directions",
  journal =      "ACM Computing Surveys",
  volume =       "28",
  number =       "4",
  pages =        "626--643",
  month =        dec,
  year =         "1996",
  coden =        "CMSVAN",
  ISSN =         "0360-0300",
  bibdate =      "Thu Jun 26 16:49:57 MDT 1997",
  url =          "http://www.acm.org/pubs/citations/journals/surveys/1996-28-4/p626-clarke/",
}



@Book{DijkstraS90,
  author =       "Edsger W. Dijkstra and Carel S. Scholten",
  title =        "Predicate Calculus and Program Semantics",
  publisher =    "Springer-Verlag",
  address =      "New York",
  year =         "1990",
  bookpages =        "xi+220",
  ISBN =         "0-387-96957-8 (New York) 3-540-96957-8 (Berlin)",
  callno =       "QA9.35.D55",
  checked =      "13 August 1992",
}


@PhdThesis{Laffra92a,
  author =       "Chris Laffra",
  title =        "{PROCOL}: A Concurrent Object Language with
                 Protocols, Delegation, Persistence and Constraints",
  school =       "Erasmus University of Rotterdam",
  type =         "Ph.{D}. Thesis",
  month =        may,
  year =         "1992",
  keywords =     "olit-obcl procol concurrency binder (shelf)",
}


@Book{Guttag-Horning93,
  key =          "Guttag \& Horning",
  author =       "John V. Guttag and James J. Horning and S. J. Garland
                 and K. D. Jones and A. Modet and J. M. Wing",
  title =        "Larch: Languages and Tools for Formal Specification",
  publisher =    "Springer-Verlag",
  year =         "1993",
  series = 	 "Texts and Monographs in Computer Science",
  address =      "New York, NY",
  annote =       "99 references.",
}


@InProceedings{Chan-Boyland-Scherlis98,
  author =       "Edwin C. Chan and John T. Boyland and William L.
                 Scherlis",
  title =        "Promises: Limited Specifications for Analysis and
                 Manipulation",
  booktitle =    ICSE98,
  address =      "Kyoto, Japan",
  month =         apr # "~19--25,",
  year =         "1998",
  pages =        "167--176",
}



@Article{Hoare69,
  author =       "C. A. R. Hoare",
  title =        "An Axiomatic Basis for Computer Programming",
  journal =      CACM,
  volume =       12,
  number =       10,
  pages =        "576--583",
  month =        oct,
  year =         1969,
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  bibdate =      "Mon Jan 27 13:09:18 1997",
}


@Book{Dijkstra76,
  author =       "E. W. Dijkstra",
  title =        "A Discipline of Programming",
  publisher =    "Prentice-Hall",
  address =      "Englewood Cliffs, NJ",
  year =         "1976"
}


@Book{Spivey88a,
  author =       "J. M. Spivey",
  title =        "Understanding {Z}",
  publisher =    "Cambridge University Press",
  series =       "Cambridge Tracts in Theoretical Computer Science 3",
  note =         "ISBN 0-521-33429-2",
  year =         "1988",
  keywords =     "SOFTENG, SPECIFICATION, Z",
}


@Article{Hoare:1987:LP,
  author =       "C. A. R. Hoare and I. J. Hayes and He Jifeng and C. C.
                 Morgan and A. W. Roscoe and J. W. Sanders and I. H.
                 S{\o}rensen and J. M. Spivey and B. A. Sufrin",
  title =        "Laws of programming",
  journal =      "Communications of the ACM",
  volume =       "30",
  number =       "8",
  pages =        "672--686",
  month =        aug,
  year =         "1987",
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  mrclass =      "68N05",
  mrnumber =     "899 396",
  bibdate =      "Sat Apr 06 08:06:23 1996",
  note =         "See corrigendum \cite{Hoare:1987:CLP}.",
  url =          "http://www.acm.org/pubs/toc/Abstracts/0001-0782/27653.html",
  keywords =     "design; languages; theory; verification",
  subject =      "{\bf D.1.4}: Software, PROGRAMMING TECHNIQUES,
                 Sequential Programming. {\bf D.3.1}: Software,
                 PROGRAMMING LANGUAGES, Formal Definitions and Theory,
                 Semantics. {\bf D.3.4}: Software, PROGRAMMING
                 LANGUAGES, Processors, Optimization. {\bf F.1.2}:
                 Theory of Computation, COMPUTATION BY ABSTRACT DEVICES,
                 Modes of Computation. {\bf F.3.1}: Theory of
                 Computation, LOGICS AND MEANINGS OF PROGRAMS,
                 Specifying and Verifying and Reasoning about Programs,
                 Pre- and post-conditions. {\bf F.3.1}: Theory of
                 Computation, LOGICS AND MEANINGS OF PROGRAMS,
                 Specifying and Verifying and Reasoning about Programs,
                 Specification techniques. {\bf F.3.2}: Theory of
                 Computation, LOGICS AND MEANINGS OF PROGRAMS, Semantics
                 of Programming Languages, Algebraic approaches to
                 semantics. {\bf I.2.2}: Computing Methodologies,
                 ARTIFICIAL INTELLIGENCE, Automatic Programming, Program
                 transformation.",
}


@Article{Hoare:1987:CLP,
  author =       "C. A. R. Hoare and I. J. Hayes and He Jifeng and C. C.
                 Morgan and A. W. Roscoe and J. W. Sanders and I. H.
                 Sorensen and J. M. Spivey and B. A. Sufrin",
  title =        "Corrigenda: {``Laws of programming''}",
  journal =      "Communications of the ACM",
  volume =       "30",
  number =       "9",
  pages =        "771",
  month =        sep,
  year =         "1987",
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  mrclass =      "68N05",
  mrnumber =     "904 132",
  bibdate =      "Tue Dec 26 13:35:07 1995",
  note =         "See \cite{Hoare:1987:LP}.",
  url =          "http://www.acm.org/pubs/toc/Abstracts/0001-0782/30407.html",
  keywords =     "languages",
  subject =      "{\bf D.2.0}: Software, SOFTWARE ENGINEERING,
                 General.",
}


@Article{ParnasC1986:correction,
  title =        "Correction to ``{A} Rational Design Process: How and
                 Why to Fake It,'' \emph{TSE} 12(2):251--257",
  author =       "David Lorge Parnas and Paul C. Clements",
  journal =      IEEETSE,
  pages =        874,
  month =        aug,
  year =         1986,
  volume =       12,
  number =       8,
}

@Article{ParnasC86,
  key =          "parnas86a",
  author =       "David Lorge Parnas and Paul C. Clements",
  title =        "A Rational Design Process: How and Why to Fake It",
  journal =      IEEETSE,
  year =         1986,
  volume =       "SE-12",
  number =       2,
  pages =        "251--257",
  month =        feb,
  abstract =     "Many have sought a software design process that allows
                 a program to be derived systematically from a precise
                 statement of requirements. It is proposed that,
                 although designing a real product in that way will not
                 be successful, it is possible to produce documentation
                 that makes it appear that the software was designed by
                 such a process. The ideal process and the documentation
                 that it requires are described. The authors explain why
                 one should attempt to design according to the ideal
                 process and why one should produce the documentation
                 that would have been produced by that process. The
                 contents of each of the required documents are outlined
                 (17 Refs.)",
}




@InProceedings{JacksonSS00,
  author =       "Daniel Jackson and Ian Schechter and Ilya Shlyakhter",
  title =        "Alcoa: the {Alloy} Constraint Analyzer",
  booktitle =    ICSE2000,
  pages =	 "730--733",
  year =	 2000,
  address =	 ICSE2000addr,
  month =	 ICSE2000date,
  abstract =    "Alcoa is a tool for analyzing object models. It has a
		 range of uses. At one end, it can act as a support tool
		 for object model diagrams, checking for consistency of
		 multiplicities and generating sample snapshots. At the
		 other end, it embodies a lightweight formal method in
		 which subtle properties of behaviour can be investigated.
                 \\
		 Alcoa's input language, Alloy, is a new notation based on
		 Z. Its development was motivated by the need for a
		 notation that is more closely tailored to object models
		 (in the style of UML), and more amenable to automatic
		 analysis. Like Z, Alloy supports the description of
		 systems whose state involves complex relational
		 structure. State and behavioural properties are described
		 declaratively, by conjoining constraints. This makes it
		 possible to develop and analyze a model incrementally,
		 with Alcoa investigating the consequences of whatever
		 constraints are given.
                 \\
		 Alcoa works by translating constraints to boolean
		 formulas, and then applying state-of-the-art SAT
		 solvers. It can analyze billions of states in seconds."
}

@InProceedings{Jackson00:FSE,
  author =       "Daniel Jackson",
  title =        "Automating first-order relational logic",
  pages =        "130--139",
  booktitle =    FSE00,
  month =        nov # "~8--10,",
  series =       "ACM Software Engineering Notes",
  volume =       "25, 6",
  year =         "2000",
}


@Book{Rumbaugh-Jacobson-Booch99,
  author =       "James Rumbaugh and Ivar Jacobson and Grady Booch",
  title =        "The Unified Modeling Language Reference Manual",
  publisher =    "Addison Wesley Longman",
  year =         1999,
  key =          "Rumbaugh \& Jacobson \& Booch",
  series =       "Object Technology Series",
  address =      "Reading, MA",
}


@Book{Jones90,
  author =	 "Cliff B. Jones",
  title = 	 "Systematic Software Development using VDM",
  publisher = 	 "Prentice Hall",
  year = 	 1990,
  edition =	 "Second"
}




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Behavioral subtyping
%%%

@Book{LiskovG86,
  author =       "Barbara Liskov and John Guttag",
  title =        "Abstraction and Specification in Program Development",
  publisher =    "MIT Press",
  address =      "Cambridge, MA",
  year =         "1986",
  ISBN =         "0-262-12112-3",
}

@Book{LiskovG01,
  author =       "Barbara Liskov and John Guttag",
  title =        "Program Development in Java:  Abstraction, Specification,
                  and Object-Oriented Design",
  publisher =    "Addison-Wesley",
  address =      "Boston, MA",
  year =         "2001",
}

@Article{LiskovW94,
  author = 	 "Barbara H. Liskov and Jeannette M. Wing",
  title = 	 "A behavioral notion of subtyping",
  journal = 	 toplas,
  year = 	 1994,
  volume =	 16,
  number =	 6,
  pages =	 "1811--1841",
  month =	 nov
}

@Article{BlackHJLC87,
  author = 	 "Andrew Black and Norman Hutchinson and Eric Jul and Henry
                  Levy and Larry Carter",
  title = 	 "Distributed and abstract types in {Emerald}",
  journal = 	 tse,
  year = 	 1987,
  volume =	 13,
  number =	 1,
  pages =	 "65--76",
  month =	 jan
}

@InProceedings{SchaffertCBKW86,
  author = 	 "Craig Schaffert and Topher Cooper and Bruce Bullis and
                  Mike Kilian and Carrie Wilpolt",
  title = 	 "An introduction to {Trellis}/{Owl}",
  booktitle =	 oopsla86,
  pages =	 "9--16",
  year =	 1986,
  address =	 oopsla86addr,
  month =	 jun
}

@Article{Cardelli88,
  author = 	 "Luca Cardelli",
  title = 	 "A semantics of multiple inheritance",
  journal = 	 IandC,
  year = 	 1988,
  volume =	 76,
  number =	 "2/3",
  pages =	 "138--164",
  month =	 feb # "/" # mar
}



@InProceedings{AmericavdL90,
  author = 	 "Pierre America and Frank van der Linden",
  title = 	 "A parallel object-oriented language with inheritance and
                  subtyping",
  booktitle =	 oopsla90,
  pages =	 "161--168",
  year =	 1990,
  address =	 oopsla90addr,
  month =	 oopsla90date
}



@Article{ZaremskiW97,
  author = 	 "Amy Moormann Zaremski and Jeannette M. Wing",
  title = 	 "Specification matching of software components",
  journal = 	 tosem,
  year = 	 1997,
  volume =	 6,
  number =	 4,
  pages =	 "333--369",
  month =	 oct,
  abstract =
   "Specification matching is a way to compare two software components, based
    on descriptions of the component's behaviors. In the context of software
    reuse and library retrieval, it can help determine whether one component
    can be substituted for another or how one can be modified to fit the
    requirements of the other. In the context of object-oriented programming,
    it can help determine when one type is a behavioral subtype of another. We
    use formal specifications to describe the behavior of software components
    and, hence, to determine whether two components match. We give precise
    definitions of not just exact match, but, more relevantly, various flavors
    of relaxed match. These definitions capture the notions of generalization,
    specialization, and substitutability of software components. Since our
    formal specifications are pre- and postconditions written as predicates in
    first-order logic, we rely on theorem proving to determine match and
    mismatch. We give examples from our implementation of specification
    matching using the Larch Prover."
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Dynamic analyses
%%%




@InProceedings{CookW98:fse,
  author = 	 "Jonathan E. Cook and Alexander L. Wolf",
  title = 	 "Event-Based Detection of Concurrency",
  booktitle = 	 FSE98,
  pages =	 "35--45",
  year =	 1998,
  address =	 FSE98addr,
  month =	 FSE98date,
  abstract =     "Understanding the behavior of a system is crucial in
		  being able to modify, maintain, and improve the system. A
		  particularly difficult aspect of some system behaviors is
		  concurrency. While there are many techniques to specify
		  intended concurrent behavior, there are few, if any,
		  techniques to capture and model actual concurrent
		  behavior. This paper presents a technique to discover
		  patterns of concurrent behavior from traces of system
		  events. The technique is based on a probabilistic
		  analysis of the event traces. Using metrics for the
		  number, frequency, and regularity of event occurrences, a
		  determination is made of the likely concurrent behavior
		  being manifested by the system. The technique is useful
		  in a wide variety of software engineering tasks,
		  including architecture discovery, reengineering, user
		  interaction modeling, and software process improvement."
}


@Article{CookW98:tosem,
  author = 	 "Jonathan E. Cook and Alexander L. Wolf",
  title = 	 "Discovering Models of Software Processes from Event-Based Data",
  journal = 	 TOSEM,
  year = 	 1998,
  volume =	 7,
  number =	 3,
  pages =	 "215--249",
  month =	 jul,
  abstract =     "Many software process methods and tools presuppose the
		  existence of a formal model of a process.  Unfortunately,
		  developing a formal model for an on-going, complex
		  process can be difficult, costly, and error prone.  This
		  presents a practical barrier to the adoption of process
		  technologies, which would be lowered by automated
		  assistance in creating formal models.
		    To this end, we have developed a technique for using
		  event data captured from an ongoing process to generate a
		  formal model of the behavior of that process.  We term
		  this kind of data analysis process discovery.  Three
		  methods for process discovery, ranging from the purely
		  algorithmic to the purely statistical, are described and
		  compared in this paper.  We also discuss the application
		  of the methods in an industrial case study."
}



@InProceedings{BoigelotG97,
  author = 	 "Bernard Boigelot and Patrice Godefroid",
  title = 	 "Automatic Synthesis of Specifications from the Dynamic Observation of Reactive Programs",
  booktitle = 	 TACAS97,
  pages =	 "321--333",
  year =	 1997,
  address =	 "Twente",
  month =	 apr,
  abstract =
   "VeriSoft is a tool for systematically exploring the state spaces of systems
    composed of several concurrent processes executing arbitrary C (or C++)
    code.  VeriSoft can automatically detect coordination problems between the
    concurrent processes of a system.  In this paper, we present a method to
    synthesize a finite-state machine that simulates all the sequences of
    visible operations of a given process that were observed during a
    state-space exploration performed by VeriSoft.  The examination of this
    machine makes it possible to discover the dynamic behavior of the process
    in its environment and to understand how it contributes to the global
    behavior of the system.",
}


@InCollection{BratkoG93,
  author =       "Ivan Bratko and Marko Grobelnik",
  title =        "Inductive learning applied to program construction and
                 verification",
  booktitle =    AIFIPP92,
  year =         1993,
  pages =        "169--182",
  publisher =    "North-Holland",
  editor =       "Jos{\'e} Cuena",
  abstract = 	 "In this paper we show how techniques of inductive logic
		  programming (ILP), a form of inductive learning, can be
		  applied to some traditional problems of program
		  development and verification.  First we consider the
		  problem of data reification when refining an abstract
		  program specification into a more concrete one, that is
		  one closer to the target implementation language.  An ILP
		  system is then used to automatically construct a target
		  language program specification.  Second, we apply the ILP
		  approach to automatic construction of loop invariants in
		  formal proofs of program correctness."
}





@Article{DanYKT89,
  author = 	 "Seiichiro Dan and Takahira Yamaguchi and Osamu Kakusho
		  and Yoshikazu Tezuka",
  title = 	 "Program verification system with synthesizer of invariant assertions",
  journal = 	 "Systems and Computers in Japan",
  year = 	 1989,
  volume =	 20,
  number =	 1,
  pages =	 "1--13"
}


@InProceedings{Andrews98:ASE,
  author = 	 "James H. Andrews",
  title = 	 "Testing using Log File Analysis: Tools, Methods and Issues",
  booktitle = 	 ASE98,
  pages =	 "157--166",
  year =	 1998,
  address =	 "Honolulu, Hawaii",
  month =	 ASE98date
}




@Article{Abramson:1996:RDN,
  author =       "David Abramson and Ian Foster and John Michalakes and
                 Rok Soci{\v{c}}",
  title =        "Relative Debugging: {A} New Methodology for Debugging
                 Scientific Applications",
  journal =      "Communications of the ACM",
  volume =       "39",
  number =       "11",
  pages =        "69--77",
  month =        nov,
  year =         "1996",
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  bibdate =      "Tue Nov 05 06:08:12 1996",
  url =          "http://www.cit.gu.edu.au/~davida/guard.html",
}


@InProceedings{LiaoDBGL99,
  author = 	 "Shih-Wei Liao and Amer Diwan and Bosch, Jr., Robert P.
		  and Anwar Ghuloum and Monica S. Lam",
  title = 	 "{SUIF} {Explorer}: An Interactive and Interprocedural Parallelizer",
  booktitle = 	 PPOPP99,
  year =	 1999,
  pages =        "37--48",
  address =	 PPOPP99addr,
  month =	 PPOPP99date
}


@TechReport{OplingerHLNLO97,
  type =         "Technical Report",
  number =       "CSL-TR-97-715",
  title =        "Software and Hardware for Exploiting Speculative
                 Parallelism with a Multiprocessor",
  month =        feb,
  year = 	 1997,
  bibdate =      "September 30, 1997",
  author =       "Jeffrey Oplinger and David Heine and Shih-Wei Liao and
                 Basem A. Nayfeh and Monica S. Lam and Kunle Olukotun",
  abstract =     "Thread-level speculation (TLS) makes it possible to
                 parallelize general purpose C programs. This paper
                 proposes software and hardware mechanisms that support
                 speculative thread- level execution on a single-chip
                 multiprocessor. A detailed analysis of programs using
                 the TLS execution model shows a bound on the
                 performance of a TLS machine that is promising. In
                 particular, TLS makes it feasible to find speculative
                 do across parallelism in outer loops that can greatly
                 improve the performance of general-purpose
                 applications. Exploiting speculative thread-level
                 parallelism on a multiprocessor requires the compiler
                 to determine where to speculate, and to generate SPMD
                 (single program multiple data) code.We have developed a
                 fully automatic compiler system that uses profile
                 information to determine the best loops to execute
                 speculatively, and to generate the synchronization code
                 that improves the performance of speculative execution.
                 The hardware mechanisms required to support speculation
                 are simple extensions to the cache hierarchy of a
                 single chip multiprocessor. We show that with our
                 proposed mechanisms, thread-level speculation provides
                 significant performance benefits.",
  institution =  "Stanford University, Computer Systems Laboratory",
}



@Misc{KAP/Pro,
  OPTkey = 	 "",
  author = 	 "{Kuck \& Associates}",
  title = 	 "{KAP/Pro} Toolset",
  howpublished = "http://www.kai.com",
  OPTmonth = 	 "",
  OPTyear = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}


@Misc{DevabhaktuniPPA98,
  author = 	 "Srikrishna Devabhaktuni and Dain Petkov and Georgi Peev and Saman Amarasinghe",
  title = 	 "Softspec:  Software-based speculative parallelism via stride prediction",
  OPTkey = 	 "",
  month = 	 nov,
  year = 	 1998,
  OPTannote = 	 ""
}
% (Unsuccessfully) submitted to PPOPP '99


@Article{KurlanderF93,
  author = 	 "David Kurlander and Steven Feiner",
  title = 	 "Inferring constraints from multiple snapshots",
  journal = 	 "ACM Transactions on Graphics",
  volume =       12,
  number =       4,
  year = 	 1993,
  pages =	 "227--304",
  month =	 oct
}






@InProceedings{GereviniS98,
  author = 	 "Alfonso Gerevini and Lenhart K. Schubert",
  title = 	 "Inferring State Constraints for Domain-Independent Planning",
  booktitle = 	 AAAI98,
  year =	 1998,
  pages=         "905--912",
  address=       "Madison, WI",
  month =	 jul # "~26--30,"
}


@InProceedings{MukherjiS2005,
  author = 	 "Proshanto Mukherji and Lenhart K. Schubert",
  title = 	 "Discovering planning invariants as anomalies in state descriptions",
  booktitle =	 ICAPS2005,
  pages = 	 "223--230",
  year =	 2005,
  address =	 ICAPS2005addr,
  month =	 ICAPS2005date
}


@InProceedings{1990:pldi:callahan,
  author =       "David Callahan and Steve Carr and Ken Kennedy",
  title =        "Improving Register Allocation for Subscripted
                 Variables",
  booktitle =    PLDI90,
  address =      PLDI90addr,
  month =        PLDI90date,
  year =         "1990",
  pages =        "53--65",
  genterms =     "ALGORITHMS, DESIGN, LANGUAGES, PERFORMANCE",
  categories =   "D.3.4 Software, PROGRAMMING LANGUAGES, Processors,
                 Optimization. D.3.4 Software, PROGRAMMING LANGUAGES,
                 Processors, Compilers. D.2.2 Software, SOFTWARE
                 ENGINEERING, Design Tools and Techniques. D.3.2
                 Software, PROGRAMMING LANGUAGES, Language
                 Classifications, FORTRAN. F.3.3 Theory of Computation,
                 LOGICS AND MEANINGS OF PROGRAMS, Studies of Program
                 Constructs.",
  annote =       "incomplete",
}


@InProceedings{greenhouse/boyland:99effects,
  author =      "Aaron Greenhouse and John Boyland",
  title =       "An Object-Oriented Effects System",
  booktitle =   ECOOP99,
  address =     ECOOP99addr,
  date =        ECOOP99date,
  year =        1999,
  pages =       "205--229"
}


@InProceedings{MICRO-99*158,
  author =       "Daniel A. Connors and Wen-mei W. Hwu",
  title =        "Compiler-Directed Dynamic Computation Reuse: Rationale
                 and Initial Results",
  booktitle = 	 MICRO99,
  pages =        "158--169",
  year =	 1999,
  address = 	 MICRO99addr,
  month =	 MICRO99date,
}


@InProceedings{ISCA99*136,
  author =       "M. Merten and A. Trick and C. George and J. Gyllenhaal
                 and W. Hwu",
  title =        "A Hardware-Driven Profiling Scheme for Identifying
                 Program Hot Spots to Support Runtime Optimization",
  pages =        "136--149",
  ISBN =         "0-7695-0170-2",
  booktitle =    ISCA99,
  month =        may # "~1--5,",
  year =         "1999",
}


@Article{1976:tse:biermann,
  title =        "Constructing Programs from Example Computations",
  author =       "Alan W. Biermann and Ramachandran Krishnaswamy",
  pages =        "141--153",
  journal =      TSE,
  ISSN =         "0098-5589",
  year =         "1976",
  volume =       "2",
  month =        sep,
  number =       "3",
  referencedby = "\cite{1998:tse:vanlamsweerde:b}",
  annote =       "incomplete",
}




@InProceedings{FoPeAlCh94,
  author =       "Stephanie Forrest and Alan S. Perelson and Lawrence
                 Allen and Rajesh Cherukuri",
  title =        "Self-Nonself Discrimination",
  keywords =     "intrusion detection, virus",
  year =         "1994",
  month =        may,
  offline =      "deb ids folder",
  annote =       "Preliminary paper on Forrest approach",
  organization = "IEEE Computer Society",
  pages =        "202--212",
  added-at =     "Wed Mar 11 15:03:34 1998",
  booktitle =    "Proceedings of the 1994 {IEEE} Symposium on Research
                 in Security and Privacy",
}




@Article{MillerG99,
  author = 	 "Renee J. Miller and A. Gujarathi",
  title = 	 "Mining for Program Structure",
  journal = 	 "International Journal on Software Engineering and
		  Knowledge Engineering",
  year = 	 1999,
  volume =	 9,
  number =	 5,
  pages =	 "499--517",
  abstract =	 "We report the first in a series of experiments from the
		  Assay project that is designed to tap the wealth of
		  information hidden in existing program analysis data. We
		  make use of statement definition-use data along with
		  variable typing information to learn about the structure
		  of legacy code. Using concept analysis, we develop an
		  interactive knowledge discovery framework into which
		  different types of analysis data can be integrated. We
		  present some case studies conducted using a tool build on
		  top of a large warehouse of program analysis data."
}


@InProceedings{AndritsosM01,
  author = 	 "Periklis Andritsos and Renee J. Miller",
  title = 	 "Reverse Engineering Meets Data Analysis",
  booktitle = 	 "Ninth International Workshop on Program Comprehension
		  (IWPC 2001)",
  pages =	 "157--166",
  year =	 2001,
  address =	 "Toronto, Canada",
  month =	 may # "~12--13,"
}


@Book{McConnell:1993:CCP,
  author =       "Steve McConnell",
  title =        "Code complete:  A practical handbook of software
                 construction",
  publisher =    "Microsoft Press",
  address =      "Redmond, WA, USA",
  year =         1993,
  ISBN =         "1-55615-484-4",
  LCCN =         "QA76.76.D47 M39 1993",
  bibdate =      "Sat Aug 31 09:15:22 MDT 1996",
  price =        "US\$35.00, CDN\$47.95",
  keywords =     "computer software -- development -- handbooks,
                 manuals, etc",
}






@InProceedings{MalikPUK2008,
  author = 	 "Muhammad Zubair Malik and Aman Pervaiz and Engin Uzuncaova and Sarfraz Khurshid",
  title = 	 "Deryaft:  A tool for generating representation invariants of structurally complex data",
  booktitle = ICSE2008,
  pages = 	 "859--862",
  year = 	 2008,
  address = 	 ICSE2008addr,
  month = 	 ICSE2008date,
}


%%%
%%% Computational Learning Theory
%%%

@InProceedings{stoc92*351,
  author =       "Dana Angluin",
  title =        "Computational Learning Theory: Survey and Selected
                 Bibliography",
  pages =        "351--369",
  ISBN =         "0-89791-512-7",
  booktitle =    "Proceedings of the 24th Annual {ACM} Symposium on the
                 Theory of Computing",
  address =      "Victoria, BC, Canada",
  month =        may,
  year =         "1992",
}


@Article{Angluin:1996:SCL,
  author =       "Dana Angluin",
  title =        "A 1996 snapshot of computational learning theory",
  journal =      "ACM Computing Surveys",
  volume =       "28",
  number =       "4es",
  pages =        "216--216",
  month =        dec,
  year =         "1996",
  coden =        "CMSVAN",
  ISSN =         "0360-0300",
  bibdate =      "Thu Jun 26 16:49:57 MDT 1997",
  url =          "http://www.acm.org/pubs/citations/journals/surveys/1996-28-4es/a216-angluin/",
}


@Article{Angluin:1983:IIT,
  author =       "Dana Angluin and Carl H. Smith",
  title =        "Inductive Inference: Theory and Methods",
  journal =      "ACM Computing Surveys",
  volume =       "15",
  number =       "3",
  pages =        "237--269",
  month =        sep,
  year =         "1983",
  coden =        "CMSVAN",
  ISSN =         "0360-0300",
  bibdate =      "Wed Dec 18 07:42:17 MST 1996",
  abstract =     "There has been a great deal of theoretical and
                 experimental work in computer science on inductive
                 inference systems, that is, systems that try to infer
                 general rules from examples. However a complete and
                 applicable theory of such systems is still a distant
                 goal. This survey highlights and explains the main
                 ideas that have been developed in the study of
                 inductive inference, with special emphasis on the
                 relations between the general theory and the specific
                 algorithms and implementations.",
  classification = "723; 912",
  keywords =     "systems science and cybernetics",
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Statically detecting invariants
%%%



@InProceedings{CC77:aipl,
  author =       "Patrick M. Cousot and Radhia Cousot",
  year =         1977,
  title =        "Automatic synthesis of optimal invariant assertions:
                 Mathematical foundations",
  booktitle =    AIPL77,
  address =      AIPL77addr,
  month =        aug,
  pages =        "1--12",
}




@InProceedings{CousotC77:AI,
  author = 	 "Patrick Cousot and Radhia Cousot",
  title = 	 "Abstract interpretation: a unified lattice model for
                  static analysis of programs by construction or
                  approximation of fixpoints",
  booktitle =	 popl77,
  pages =	 "238--252",
  year =	 1977,
  OPTmonth = 	 "",
  address =	 POPL77addr
}



@Article{GannodC96,
  author = 	 "Gerald C. Gannod and Betty H.C. Cheng",
  title = 	 "Strongest Postcondition Semantics as the Formal Basis for Reverse Engineering",
  journal = 	 "Journal of Automated Software Engineering",
  year = 	 1996,
  volume =	 3,
  number =	 "1/2",
  pages =	 "139--164",
  month =	 jun,
  abstract =
   "Reverse engineering of program code is the process of
    constructing a higher level abstraction of an implementation in order to
    facilitate the understanding of a system that may be in a ``legacy'' or
    ``geriatric'' state. Changing architectures and improvements in programming
    methods, including formal methods in software development and object
    oriented programming, have prompted a need to reverse engineer and
    reengineer program code. The paper describes the application of the
    strongest postcondition predicate transformer (sp) as the formal basis for
    the reverse engineering of imperative program code.",
}


@Article{GannodC94,
  author = 	 "Gerald C. Gannod and Betty H.C. Cheng",
  title = 	 "Facilitating the Maintenance of Safety-Critical Systems
		  Using Formal Methods",
  journal = 	 "International Journal of Software Engineering and
		  Knowledge Engineering",
  year = 	 1994,
  volume =	 4,
  number =	 2,
  pages =	 "183--204",
  month =	 jun
}


@InProceedings{ChengG91,
  author = 	 "Betty H.C. Cheng and Gerald C. Gannod",
  title = 	 "Abstraction of Formal Specifications from Program Code",
  booktitle = 	 "Proceedings of the 3rd International Conference on Tools
		  for Artificial Intelligence TAI '91",
  pages =	 "125--128",
  address =	 "San Jose, CA",
  year =	 1991,
  month =	 nov
}

@InProceedings{GannodC99,
  author =       "Gerald C. Gannod and Betty H. C. Cheng",
  title =        "A Specification Matching Based Approach to Reverse
                 Engineering",
  booktitle =    ICSE99,
  address =      ICSE99addr,
  year =         "1999",
  pages =        "389--398",
  month =        ICSE99date,
}


@Book{Jones:Gomard:Sestoft:93:PartialEvaluation,
  semno =        "D-135",
  author =       "Neil D. Jones and Carsten K. Gomard and Peter Sestoft",
  title =        "Partial Evaluation and Automatic Program Generation",
  publisher =    "Prentice Hall International",
  year =         1993,
  omitmonth =        jun,
  keywords =     "Partial Evaluation, Binding Time Analysis, Automatic
                 Program Transformation and Generation, Compiler
                 Generation, Self-Application",
  summary =      "This book provides a broad coverage of basic and
                 advanced topics in partial evaluation. A wide spectrum
                 of languages are treated including imperative,
                 functional (first-order, higher-order), and logic
                 programming languages.",
}


@TechReport{CMU//CS-93-225,
  pages =        "17",
  year =         "1993",
  type =         "Technical Report",
  number =       "CS-93-225",
  title =        "Deferred Compilation: The Automation of Run-Time Code
                 Generation",
  bibdate =      "September 13, 1995",
  author =       "Mark Leone and Peter Lee",
  institution =  "Carnegie Mellon University, School of Computer
                 Science",
  month =        dec,
  notes =        "Run-time code generation, deferred compilation,
                 partial evaluation, specialization, binding-time
                 analysis, staging transformation",
}




@InProceedings{Palsberg:1995:CFB,
  author =       "Jens Palsberg",
  title =        "Comparing Flow-Based Binding-Time Analyses",
  booktitle = 	 TAPSOFT95,
  pages =	 "561--574",
  year =	 1995,
  address =	 tapsoft95addr,
  month =	 tapsoft95date,
}


@InProceedings{PLDI::KolteW1995,
  title =        "Elimination of Redundant Array Subscript Range
                 Checks",
  author =       "Priyadarshan Kolte and Michael Wolfe",
  booktitle =    PLDI95,
  address =      pldi95addr,
  month =        pldi95date,
  year =         "1995",
  pages =        "270--278",
}

@InProceedings{PLDI::XiP1998,
  title =        "Eliminating Array Bound Checking through Dependent
                 Types",
  author =       "Hongwei Xi and Frank Pfenning",
  booktitle =    PLDI98,
  address =      pldi98addr,
  month =        pldi98date,
  year =         "1998",
  pages =        "249--257",
  references =   "\cite{PLDI::FreemanP1991} \cite{LOPLAS::Gupta1994}
                 \cite{POPL::Necula1997} \cite{PLDI::NeculaL1998}
                 \cite{PLDI::Pugh1992} \cite{JACM::Shostak1977}
                 \cite{POPL::SusukiI1977}",
}


@InProceedings{Xi-Pfenning99,
  key =          "Xi \& Pfenning",
  author =       "Hongwei Xi and Frank Pfenning",
  title =        "Dependent Types in Practical Programming",
  booktitle =    POPL99,
  year =         1999,
  address =      popl99addr,
  month =        popl99date,
  pages =        "214--227",
  annote =       "28 references.",
}


@article{Zenger97,
   author    = {Christoph Zenger},
   title     = {Indexed Types},
   journal   = {Theoretical Computer Science},
   pages     = {147--165},
   year      = {1997},
   volume    = {187},
   abstract =
   "A new extension of the Hindley/Milner type system is
    proposed. The type system has algebraic types, that have not only type
    parameters, but also value parameters (indices). This allows for example to
    parameterize matrices and vectors by their size and to check size
    compatibility statically. This is especially of interest in computer
    algebra.",
}


@InProceedings{SuzukiIsh77,
  author =       "Norihisa Suzuki and Kiyoshi Ishihata",
  title =        "Implementation of an Array Bound Checker",
  booktitle =    POPL77,
  address =      "Los Angeles, CA",
  month =        jan # " 17--19,",
  year =         "1977",
  pages =        "132--143",
}



@InProceedings{BeLS96,
  author =       "Saddek Bensalem and Yassine Lakhnech and Hassen Saidi",
  title =        "Powerful Techniques for the automatic Generation of
                 Invariants",
  booktitle =    CAV96,
  year =         1996,
  pages =        "323--335",
  address =      CAV96addr,
  month =        CAV96date,
  abstract =     "When proving invariance properties of programs one is
                 faced with two problems. The first problem is related
                 to the necessity of proving tautologies of the
                 considered assertion language, whereas the second
                 manifests in the need of finding sufficiently strong
                 invariants. This paper focuses on the second problem
                 and describes techniques for the automatic generation
                 of invariants. The first set of these techniques is
                 applicable on sequential transition systems and allows
                 to derive so-called local invariants, i.e. predicates
                 which are invariants at some control location. The
                 second is applicable on networks of transition systems
                 and allows to combine local invariants of the
                 sequential components to obtain local invariants of the
                 global systems. Furthermore, refined strengthening
                 technique is presented that allows to avoid the problem
                 of size-increase of the considered predicates which is
                 the main drawback of the usual strengthening technique.
                 The proposed techniques are illustrated by examples.",
}

@TechReport{E74:sri,
  author =       "Bernard Elspas",
  month =        jul,
  year =         "1974",
  title =        "The semiautomatic generation of inductive assertions
                 for proving program correctness",
  type =         "Interim Report Project",
  number =       "2686",
  institution =  "Stanford Research Institute",
  address =      "Menlo Park, CA",
}



@Article{Bjorner:1997:AGI,
  author =       "Nicolaj Bj{\o}rner and Anca Browne and Zohar Manna",
  title =        "Automatic generation of invariants and intermediate
                 assertions",
  journal =      "Theoretical Computer Science",
  volume =       "173",
  number =       "1",
  pages =        "49--87",
  day =          "20",
  month =        feb,
  year =         "1997",
  coden =        "TCSCDI",
  ISSN =         "0304-3975",
  bibdate =      "Wed May 27 07:21:35 MDT 1998",
  classification = "C1160 (Combinatorial mathematics); C4210 (Formal
                 logic); C6110F (Formal methods); C6150N (Distributed
                 systems software)",
  conflocation = "Cassis, France; 19-22 Sept. 1995",
  conftitle =    "Principles and Practice of Constraint Programming",
  corpsource =   "Dept. of Comput. Sci., Stanford Univ., CA, USA",
  keywords =     "abstract backward propagation; abstract forward
                 propagation; approximation techniques; approximation
                 theory; assertion graphs; automatic intermediate
                 assertion generation; automatic invariant generation;
                 auxiliary assertions; concurrent systems; formal
                 specification; formal verification; general safety
                 property verification; graph theory; large-scale
                 verification; parallel processing; reactive systems;
                 temporal logic; temporal specification verification",
  pubcountry =   "Netherlands",
  sponsororg =   "ACM",
  treatment =    "T Theoretical or Mathematical",
  xxauthor =     "M. Bjorner and A. Browne and Z. Manna",
  abstract =     "Verifying temporal specifications of reactive and concurrent
		  systems commonly relies on generating auxiliary
		  assertions and on strengthening given properties of the
		  system.  This can be achieved by two dual approaches: the
		  bottom-up method performs an abstract forward propagation
		  (computation) of the system, generating auxiliary
		  assertions; the top-down method performs an abstract
		  backward propagation to strengthen given properties.
		  Exact application of these methods is complete but is
		  usually infeasible for large-scale verification.
		  Approximation techniques are often needed to complete the
		  verification.  The authors give an overview of known
		  methods for generation of auxiliary invariants in the
		  verification of invariance properties.  They extend these
		  methods by formalizing and analyzing a general
		  verification rule that uses assertion graphs to generate
		  auxiliary assertions for the verification of general
		  safety properties."
}



@InProceedings{HenryWF90,
  author =       "Robert Henry and Kenneth M. Whaley and Bruce Forstall",
  title =        "The {University} of {Washington} {Illustrating} {Compiler}",
  booktitle =    PLDI90,
  address =      pldi90addr,
  month =        pldi90date,
  year =         "1990",
  pages =        "223--246",
  abstract =     "The University of Washington illustrating compiler
                 (UWPI) automatically illustrates the data structures
                 used in simple programs written in a subset of Pascal.
                 A UWPI user submits a program to UWPI, and can then
                 watch a graphical display show time varying
                 illustrations of the data structures and program source
                 code. UWPI uses the information latent in the program
                 to determine how to illustrate the program. UWPI infers
                 the abstract data types directly from the declarations
                 and operations used in the source program, and then
                 lays out the illustration in a natural way by
                 instantiating well-known layouts for the abstract
                 types. UWPI solves program illustration using
                 compile-time pattern matching and type inferencing to
                 link anticipated execution events to display events,
                 rather than relying on user assistance or specialized
                 programming techniques. UWPI has been used to
                 automatically illustrate didactic sorting and searching
                 examples, and can be used to help teach basic data
                 structures, or to help when debugging programs.",
}


@InProceedings{Givan:1996:IPS,
  author =       "Robert Givan",
  title =        "Inferring Program Specifications in Polynomial-Time",
  booktitle = 	 SAS96,
  pages =	 "205--219",
  year =	 1996,
  address =	 SAS96addr,
  month =	 sas96date,
  abstract =     "We consider the problem of automatically inferring properties
		  of programs.  Our approach is to explore the application
		  of familiar type inference principles to a ``type system''
		  sufficiently expressive that the typing problem is
		  effectively the checking of program specifications.  We
		  use familiar syntax-directed type inference rules to give
		  a polynomial-time procedure for inferring type theorems
		  in this rich type system.  We discuss examples of simple
		  functional programs and the specification information
		  this procedure automatically infers.  The enriched notion
		  of type allows the definition of any recursively
		  enumerable set as a type, and includes argument-
		  dependent output types for functions.  The inference
		  procedure is capable, for example, of automatically
		  inferring that an insertion sort program always returns a
		  sorted permutation of its input."
}




@PhdThesis{Givan96,
  author = 	 "Givan, Jr., Robert Lawrence",
  title = 	 "Automatically Inferring Properties of Computer Programs",
  school = 	 "MIT",
  year = 	 1996,
  address =	 "Cambridge, MA",
  month =	 jun
}


@InProceedings{AAAI97_IAAI97*404,
  author =       "Robert Givan",
  title =        "Obvious Properties of Computer Programs",
  pages =        "404--410",
  ISBN =         "0-262-51095-2",
  booktitle =    "Proceedings of the 14th National Conference on
                 Artificial Intelligence and 9th Innovative Applications
                 of Artificial Intelligence Conference
                 ({AAAI}-97/{IAAI}-97)",
  month =        jul # "27--31~",
  publisher =    "AAAI Press",
  address =      "Menlo Park",
  year =         "1997",
}


@Book{WatermanH78,
  editor =	 "D. A. Waterman and Frederick Hayes-Roth",
  title = 	 "Pattern-directed inference systems",
  publisher = 	 "Academic Press",
  year = 	 1978,
  address =	 "New York"
}


@InProceedings{C75:icrs,
  author =       "Michel C. Caplain",
  month =        apr,
  year =         "1975",
  title =        "Finding invariant assertions for proving programs",
  booktitle =    "Proceedings of the International Conference on
                 Reliable Software",
  address =      "Los Angeles, CA",
  pages =        "165--171",
  abstract =     "We attempt to extract from any program loop its ``Most
		  General Invariant'' in order to either prove its
		  correctness, including termination, or disprove it and
		  propose correctness.",
}




@InProceedings{VaziriH98,
  author = 	 "Mandana Vaziri and Gerard Holzmann",
  title = 	 "Automatic Detection of Invariants in {S}pin",
  booktitle = 	 SPIN98,
  pages = 	 "129--138",
  year = 	 1998,
  address =	 SPIN98addr,
  month = 	 SPIN98date
}


@InProceedings{JeffordsH98,
  author = 	 "Ralph Jeffords and Constance Heitmeyer",
  title = 	 "Automatic Generation of State Invariants from Requirements Specifications",
  booktitle = 	 fse98,
  pages =	 "56--69",
  year =	 1998,
  address =	 fse98addr,
  month =	 fse98date,
  abstract =
   "Automatic generation of state invariants, properties that hold in every
    reachable state of a state machine model, can be valuable in software
    development. Not only can such invariants be presented to system users for
    validation, in addition, they can be used as auxiliary assertions in
    proving other invariants. This paper describes an algorithm for the
    automatic generation of state invariants that, in contrast to most other
    such algorithms, which operate on programs, derives invariants from
    requirements specifications. Generating invariants from requirements
    specifications rather than programs has two advantages: 1) because
    requirements specifications, unlike programs, are at a high level of
    abstraction, generation of and analysis using such invariants is easier,
    and 2) using invariants to detect errors during the requirements phase is
    considerably more cost-effective than using invariants later in software
    development. To illustrate the algorithm, we use it to generate state
    invariants from requirements specifications of an automobile cruise control
    system and a simple control system for a nuclear plant. The invariants are
    derived from specifications expressed in the SCR (Software Cost Reduction)
    tabular notation.",
}

@InProceedings{z:lano90,
  author =       "Kevin C. Lano and Peter T. Breuer",
  title =        "From Programs to {Z} Specifications",
  editor =       "John E. Nicholls",
  booktitle =    "Z User Workshop:  Proceedings of the Fourth Annual {Z} User Workshop, {Oxford} 1989",
  publisher =    "Springer-Verlag",
  address = 	 "Oxford",
  series =       "Workshops in Computing",
  year =         1990,
  ISBN =         "3-540-19627-7",
  pages =        "46--70",
}


@InProceedings{ward:89,
  author =       "Martin Ward and Frank W. Calliss and Malcolm Munro",
  title =        "The {M}aintainer's {A}ssistant",
  booktitle =    ICSM89,
  year =         1989,
  pages =        "307--315",
  address =	 ICSM89addr,
  abstract =     "The Maintainer's Assistant is a code analysis tool
                 aimed at helping the maintenance programmer to
                 understand and modify a given program. Program
                 transformation techniques are employed by the
                 Maintainer's Assistant both to derive a specification
                 from a section of code and to transform a section of
                 code into a logically equivalent form. The general
                 structure of the tool is described and two examples of
                 the application of program transformations are given.",
  class =        "Reengineering_Tools, Maintainer_s_Assistant",
  sender =       "koschke@informatik.uni-stuttgart.de",
}







@Article{Ward:1996:PAF,
  author =       "Martin P. Ward",
  title =        "Program analysis by formal transformation",
  journal =      "The Computer Journal",
  volume =       "39",
  number =       "7",
  pages =        "598--618",
  OPTmonth =        "",
  year =         "1996",
  coden =        "CMPJA6",
  ISSN =         "0010-4620",
  bibdate =      "Tue Mar 25 13:51:56 MST 1997",
  classcodes =   "C6110F (Formal methods); C6110B (Software engineering
                 techniques); C6120 (File organisation); C6150G
                 (Diagnostic, testing, debugging and evaluating
                 systems)",
  corpsource =   "Dept. of Comput. Sci., Durham Univ., UK",
  keywords =     "abstract specification; arrays; case study; complex
                 control; data structures; diagnostics; flow; formal
                 specification; formal transformation; high-level
                 specifications; linked lists; low-level program
                 operations; program; program analysis; program
                 manipulation; reverse engineering; semantics-preserving
                 operations; sets; software maintenance; sorting;
                 structured programming; topological sorting; topology;
                 Wide Spectrum Language; WSL",
  treatment =    "B Bibliography; P Practical",
  url =          "http://www.oup.co.uk/jnls/list/comjnl/hdb/Volume_39/Issue_07/390598.sgm.abs.html",
}







@Article{IEEETSE::DunlopB1984,
  title =        "A Heuristic for Deriving Loop Functions",
  author =       "Douglas D. Dunlop and Victor R. Basili",
  journal =      TSE,
  pages =        "275--285",
  month =        may,
  year =         "1984",
  volume =       "10",
  number =       "3",
}


@Article{Dunlop:1985:GSU,
  author =       "Douglas D. Dunlop and Victor R. Basili",
  title =        "Generalizing Specifications for Uniformly Implemented Loops",
  journal =      "ACM Transactions on Programming Languages and Systems",
  volume =       "7",
  number =       "1",
  pages =        "137--158",
  month =        jan,
  year =         "1985",
  coden =        "ATPSDT",
  ISSN =         "0164-0925",
  url =          "http://www.acm.org/pubs/toc/Abstracts/0164-0925/2708.html",
  acknowledgement = ack-pb,
  keywords =     "languages; theory; verification",
  subject =      "{\bf D.3.3}: Software, PROGRAMMING LANGUAGES, Language
                 Constructs and Features, Control structures. {\bf
                 F.3.1}: Theory of Computation, LOGICS AND MEANINGS OF
                 PROGRAMS, Specifying and Verifying and Reasoning about
                 Programs, Specification techniques. {\bf D.2.4}:
                 Software, SOFTWARE ENGINEERING, Program Verification,
                 Assertion checkers. {\bf D.2.4}: Software, SOFTWARE
                 ENGINEERING, Program Verification, Correctness proofs.
                 {\bf D.2.4}: Software, SOFTWARE ENGINEERING, Program
                 Verification, Validation.",
}




@Article{IEEETSE::Abd-El-HafizB1996,
  title =        "A Knowledge-Based Approach to the Analysis of Loops",
  author =       "Salwa K. Abd-El-Hafiz and Victor R. Basili",
  journal =      TSE,
  pages =        "339--360",
  month =        may,
  year =         "1996",
  volume =       "22",
  number =       "5",
}



@InProceedings{fox.long-1994:oneffic:inbook:,
  author =       "Maria Fox and Derek Long",
  title =        "On the Efficient Validation of Partial Plans",
  booktitle =    "Proceedings of The Thirteenth Workshop of the UK
                 Planning Special Interest Group",
  year =         "1994",
  address =      "University of Strathclyde, Glasgow",
  month =        sep,
}



@InProceedings{Rintanen2000,
  author = 	 "Jussi Rintanen",
  title = 	 "An iterative algorithm for synthesizing invariants",
  booktitle = 	 AAAI2000,
  pages = 	 "806--811",
  year =	 2000,
  address = 	 AAAI2000addr,
  month = 	 AAAI2000date
}


@Article{Aggarwal:2001:RFA,
  author =       "Aneesh Aggarwal and Keith Randall",
  title =        "Related Field Analysis",
  journal =      "ACM SIG{\-}PLAN Notices",
  volume =       "36",
  number =       "5",
  pages =        "214--220",
  month =        may,
  year =         "2001",
  coden =        "SINODQ",
  ISSN =         "0362-1340",
  bibdate =      "Wed Jul 11 12:48:53 2001",
  acknowledgement = ack-nhfb,
}




@InProceedings{Taghdiri2004,
  author = 	 "Mana Taghdiri",
  title = 	 "Inferring specifications to detect errors in code",
  booktitle =	 ASE2004,
  pages =	 "144--153",
  year =	 2004,
  address =	 ASE2004addr,
  month =	 ASE2004date
}



@InProceedings{BallLX2004,
  author = 	 "Thomas Ball and Vladimir Levin and Fei Xie",
  title = 	 "Automatic creation of environment models via training",
  booktitle = TACAS2004,
  pages = 	 "93--107",
  year = 	 2004,
  address = 	 TACAS2004addr,
  month = 	 TACAS2004date,
}





%%%
%%% ADDS
%%%











%%%
%%% Heuristics for statically determining program properties
%%%

@Article{German:Wegbreit:ieee:tose:1975,
  author =       "Steven M. German and Ben Wegbreit",
  title =        "A Synthesizer of Inductive Assertions",
  journal =      TSE,
  volume =       "1",
  number =       "1",
  pages =        "68--75",
  month =        mar,
  year =         "1975",
  refs =         "21",
  checked =      "19940609",
  source =       "Main library",
  keywords =     "completing inductive assertions, inductive assertions,
                 loop invariants, loop predicates, program verification,
                 synthesis of inductive assertions, theorem proving,
                 weak interpretations",
  abstract =     "Most current methods for mechanical program
                 verification require a complete inductive assertion on
                 each loop.  As this is tedious and error prone,
                 producing a program with complete, correct assertions
                 is moderately difficult.  This paper describes a
                 prototype system {\sc vista} which provides assistance
                 in synthesizing correct inductive assertions.  Given only
                 the source program, it is able to generate a useful
                 class of assertions automatically.  For a larger class,
                 it is able to extend partial inductive assertions
                 supplied by the programmer to form complete assertions
                 from which it proves program correctness.  Its synthesis
                 methods include: symbolic evaluation in a weak
                 interpretation, combining output assertions with loop
                 exit information to obtain trail loop assertions, and
                 extracting information from proofs which fail in order
                 to determine how assertions should be strengthened.  We
                 present Vista as a step toward practical program
                 verifiers.",
  reffrom =      "Basu:Yeh:ieee:tose:1975",
}

@Article{Katz:1976:LAP,
  author =       "Shmuel Katz and Zohar Manna",
  title =        "Logical Analysis of Programs",
  journal =      "Communications of the ACM",
  volume =       "19",
  number =       "4",
  pages =        "188--206",
  month =        apr,
  year =         "1976",
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  mrclass =      "68A05",
  mrnumber =     "56 17183",
  bibdate =      "Tue Mar 25 13:26:09 MST 1997",
  abstract =     "Most present systems for verification of computer
                 programs are incomplete in that intermediate inductive
                 assertions must be provided manually by the user,
                 termination is not proven, and incorrect programs are
                 not treated. As a unified solution to these problems,
                 this paper suggests conducting a logical analysis of
                 programs by using invariants which express what is
                 actually occurring in the program. Techniques for the
                 automatic generation of invariants are examined.
                 Criteria for using the invariants to check
                 simultaneously for correctness (including termination)
                 or incorrectness are provided. Implications of the
                 approach for the automatic diagnosis and correction of
                 logical errors are discussed.",
  classcodes =   "C6150G (Diagnostic, testing, debugging and evaluating
                 systems)",
  classification = "723; 921",
  corpsource =   "Weizmann Inst. of Sci., Rehovoth, Israel",
  journalabr =   "Commun ACM",
  keywords =     "automatic diagnosis; computer programming languages;
                 correctness; incorrectness; invariants; logical
                 analysis; mathematical techniques; program debugging;
                 program testing; program verification",
  treatment =    "P Practical",
}

@TechReport{STAN//CS-TR-73-341,
  bibdate =      "September 25, 1995",
  type =         "Technical Report",
  number =       "CS-TR-73-341",
  title =        "A heuristic approach to program verification.",
  year =         "1973",
  month =        mar,
  institution =  "Stanford University, Department of Computer Science",
  pages =        "42",
  author =       "Shmuel M. Katz and Zohar Manna",
  abstract =     "We present various heuristic techniques for use in
                 proving the correctness of computer programs. The
                 techniques are designed to obtain automatically the
                 ``inductive assertions'' attached to the loops of the
                 program which previously required human
                 ``understanding'' of the program's performance. We
                 distinguish between two general approaches: one in
                 which we obtain the inductive assertion by analyzing
                 predicates which are known to be true at the entrances
                 and exits of the loop (\$underline{top-down}\$
                 approach), and another in which we generate the
                 inductive assertion directly from the statements of the
                 loop (\$underline{bottom-up}\$ approach).",
  notes =        "[Adminitrivia V1/Prg/19950925]",
}

@InProceedings{ijcai73*500,
  author =       "Shmuel M. Katz and Zohar Manna",
  title =        "A Heuristic Approach to Program Verification",
  pages =        "500--512",
  ISBN =         "0-934613-58-3",
  editor =       "Nils J. Nilsson",
  booktitle =    IJCAI73,
  address =      IJCAI73addr,
  month =        aug,
  year =         "1973",
  publisher =    "William Kaufmann",
}

@Article{Wegbreit:1974:SLP,
  author =       "Ben Wegbreit",
  title =        "The Synthesis of Loop Predicates",
  journal =      "Communications of the ACM",
  volume =       "17",
  number =       "2",
  pages =        "102--112",
  month =        feb,
  year =         "1974",
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  mrclass =      "68A05",
  mrnumber =     "49 8420",
  mrreviewer =   "Armin Cremers",
  bibdate =      "Tue Mar 25 13:26:09 MST 1997",
  abstract =     "Current methods for mechanical program verification
                 require a complete predicate specification on each
                 loop. Because this is tedious and error prone,
                 producing a program with complete, correct predicates
                 is reasonably difficult and would be facilitated by
                 machine assistance. This paper discusses techniques for
                 mechanically synthesizing loop predicates. Two classes
                 of techniques are considered: (1) heuristic methods
                 which derive loop predicates from boundary conditions
                 and/or partially specified inductive assertions: (2)
                 extraction methods which use input predicates and
                 appropriate weak interpretations to obtain certain
                 classes of loop predicates by an evaluation on the weak
                 interpretation.",
  classcodes =   "C4240 (Programming and algorithm theory); C6150G
                 (Diagnostic, testing, debugging and evaluating
                 systems)",
  classification = "721; 723",
  corpsource =   "Harvard Univ., Cambridge, MA, USA",
  journalabr =   "Commun ACM",
  keywords =     "assertions; automata theory --- Theorem Proving;
                 boundary conditions; computer operating systems;
                 computer programming; extraction methods; heuristic
                 methods; inductive; inductive assertions; input
                 predicates; interpretations; loop predicates;
                 mechanical program verification; program debugging;
                 program verification; program verifiers; programming
                 theory; property extraction; synthesis; synthesis of
                 loop predicates; theorem proving; weak; weak
                 interpretation; weak interpretations; well founded
                 sets; well-founded sets",
  treatment =    "A Application; T Theoretical or Mathematical",
}

@InProceedings{ijcai73*524,
  author =       "Ben Wegbreit",
  title =        "Heuristic Methods for Mechanically Deriving Inductive
                 Assertions",
  pages =        "524--536",
  ISBN =         "0-934613-58-3",
  editor =       "Nils J. Nilsson",
  booktitle =    IJCAI73,
  address =      IJCAI73addr,
  month =        aug,
  year =         "1973",
  publisher =    "William Kaufmann",
}

@Article{Wegbreit77,
  author =       "Ben Wegbreit",
  title =        "Constructive Methods in Program Verification",
  journal =      TSE,
  year =         "1977",
  volume =       "SE-3",
  number =       "3",
  month =        may,
  pages =        "193--209",
  annote =       "17 references.",
}

@Article{Morris:1977:SI,
  author =       "Morris, Jr., James H. and Ben Wegbreit",
  title =        "Subgoal Induction",
  journal =      "Communications of the ACM",
  volume =       "20",
  number =       "4",
  pages =        "209--222",
  month =        apr,
  year =         "1977",
  coden =        "CACMA2",
  ISSN =         "0001-0782",
  mrclass =      "68A05",
  mrnumber =     "56 4222",
  mrreviewer =   "Andrea Maggiolo-Schettini",
  bibdate =      "Tue Mar 25 13:26:09 MST 1997",
  abstract =     "A proof method, subgoal induction, is presented as an
                 alternative or supplement to the commonly used
                 inductive assertion method. Its major virtue is that it
                 can often be used to prove a loop's correctness
                 directly from its input-output specification without
                 the use of an invariant. The relation between subgoal
                 induction and other commonly used induction rules is
                 explored and, in particular, it is shown that subgoal
                 induction can be viewed as a specialized form of
                 computation induction.",
  classcodes =   "C4240 (Programming and algorithm theory)",
  classification = "723",
  corpsource =   "Xerox Palo Alto Res. Center, Palo Alto, CA, USA",
  journalabr =   "Commun ACM",
  keywords =     "computer metatheory --- Programming Theory; computer
                 programming; computer programming languages --- Program
                 Debugging; functional verification correctness; program
                 proving; programming theory; subgoal induction",
  treatment =    "T Theoretical or Mathematical",
}

@Article{Wegbreit:1976:PPC,
  author =       "Ben Wegbreit and Jay M. Spitzen",
  title =        "Proving Properties of Complex Data Structures",
  journal =      "Journal of the ACM",
  volume =       "23",
  number =       "2",
  pages =        "389--396",
  month =        apr,
  year =         "1976",
  coden =        "JACOAH",
  ISSN =         "0004-5411",
  bibdate =      "Wed Jan 15 18:12:53 MST 1997",
  abstract =     "This paper is concerned with proving properties of
                 programs which use data structures. The goal is to be
                 able to prove that all instances of a class (e.g. as
                 defined in Simula) satisfy some property. A method of
                 proof which achieves this goal, generator induction, is
                 studied and compared to other proof rules and methods;
                 inductive assertions, recursion induction, computation
                 induction, and, in some detail, structural induction.
                 The paper concludes by using generator induction to
                 prove a characteristic property of an implementation of
                 hashtables.",
  classification = "723",
  journalabr =   "J Assoc Comput Mach",
  keywords =     "computer metatheory",
}

@Article{Wegbreit:1977:CSI,
  author =       "Ben Wegbreit",
  title =        "Complexity of Synthesizing Inductive Assertions",
  journal =      "Journal of the ACM",
  volume =       "24",
  number =       "3",
  pages =        "504--512",
  month =        jul,
  year =         "1977",
  coden =        "JACOAH",
  ISSN =         "0004-5411",
  bibdate =      "Wed Nov 2 23:43:48 1994",
}

@Article{Spitzen:Wegbreit:acta:1975,
  author =       "J. Spitzen and B. Wegbreit",
  title =        "The verification and synthesis of data structures",
  journal =      "Acta Informatica",
  volume =       "4",
  pages =        "127--144",
  year =         "1975",
  reffrom =      "Horning:pc:1978a",
  reffrom =      "London:Guttag:Horning:Lampson:Mitchell:Popek:pc:1978",
  reffrom =      "Owicki:pc:1978a",
  reffrom =      "Guttag:pc:1978",
}


@Article{1980:tse:tamir,
  title =        "{ADI}: Automatic Derivation of Invariants",
  author =       "Moshe Tamir",
  pages =        "40--48",
  journal =      TSE,
  ISSN =         "0098-5589",
  year =         "1980",
  volume =       "SE-6",
  month =        jan,
  number =       "1",
}


%%%
%%% Model checking
%%%

@Book{MannaP91,
  author =       "Zohar Manna and Amir Pnueli",
  title =        "The Temporal Logic of Reactive and Concurrent Systems:
                 Specification",
  year =         "1991",
  publisher =    "Springer Verlag",
  address =      "New York"
}


@Book{1993:book:mcmillan,
  author =       "Kenneth L. McMillan",
  title =        "Symbolic model checking",
  publisher =    "Kluwer Academic Publishers",
  year =         "1993",
}




@Book{ClarkeGP99,
  author = 	 "E. M. Clarke and Orna Grumberg and Doron Peled",
  title = 	 "Model Checking",
  publisher = 	 "MIT Press",
  year = 	 "1999",
  OPTkey = 	 "",
  OPTvolume = 	 "",
  OPTnumber = 	 "",
  OPTseries = 	 "",
  OPTaddress = 	 "",
  OPTedition = 	 "",
  OPTmonth = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}



@Article{HavelundP2000,
  author = 	 "Klaus Havelund and Thomas Pressburger",
  title = 	 "Model checking {Java} programs using {Java} {PathFinder}",
  journal = 	 STTT,
  year = 	 2000,
  volume =	 2,
  number =	 4,
  pages =	 "366--381"
}






@Article{1997:tse:holzmann,
  title =        "The Model Checker {SPIN}",
  author =       "Gerard J. Holzmann",
  pages =        "279--295",
  journal =      TSE,
  ISSN =         "0098-5589",
  year =         "1997",
  volume =       "23",
  month =        may,
  number =       "5",
  referencedby = "\cite{1998:tse:heitmeyer}",
  note =         "Special Issue: Formal Methods in Software Practice",
  annote =       "incomplete",
}

% Old key was CADE92*748
@InProceedings{PVS,
  author =       "S. Owre and J. M. Rushby and N. Shankar",
  title =        "{PVS}: A Prototype Verification System",
  pages =        "748--752",
  ISBN =         "3-540-55602-8",
  booktitle =    CADE92,
  address =      CADE92addr,
  month =        CADE92date,
  year =         1992,
}



@InProceedings{Owre96,
  author = 	 "S. Owre and S. Rajan and J. M. Rushby and N. Shankar and M. Srivas",
  title = 	 "PVS: combining specification, proof checking, and model checking",
  booktitle = 	 CAV96,
  pages =	 "411--414",
  year =	 1996,
  address =	 CAV96addr,
  month =	 CAV96date,
}


@Article{1995:tse:owre,
  title =        "Formal Verification for Fault-Tolerant Architectures:
                 Prolegomena to the Design of {PVS}",
  author =       "Sam Owre and John Rushby and Natarajan Shankar and
                 Friedrich von Henke",
  pages =        "107--125",
  journal =      TSE,
  ISSN =         "0098-5589",
  year =         1995,
  volume =       21,
  month =        feb,
  number =       2,
  referencedby = "\cite{1997:icse:baresi}, \cite{1997:tse:walter},
                 \cite{1998:tse:chetali}, \cite{1998:tse:rushby},
                 \cite{1998:tse:easterbrook}",
  note =         "Special Section---Best Papers of {FME} ({F}ormal
                 {M}ethods {E}urope){~'93}",
  annote =       "incomplete",
}

@InProceedings{CorbettDHPRLZ2000,
  author = 	 "James Corbett and Matthew Dwyer and John Hatcliff and
                  Corina P\u{a}s\u{a}reanu and Robby and Shawn Laubach and Hongjun Zheng",
  authorASCII = 	 "James Corbett and Matthew Dwyer and John Hatcliff and
                  Corina Pasareanu and Robby and Shawn Laubach and Hongjun Zheng",
  title = 	 "Bandera: Extracting Finite-State Models from {Java} Source Code
",
  booktitle = 	 ICSE2000,
  pages = 	 "439--448",
  year =	 2000,
  address =	 ICSE2000addr,
  month =	 ICSE2000date,
}









@InProceedings{ICSE99*597,
  author =       "Gerard J. Holzmann and Margaret H. Smith",
  title =        "A Practical Method for Verifying Event-Driven
                 Software",
  pages =        "597--608",
  booktitle =    ICSE99,
  ISBN =         "1-58113-074-0",
  month =        ICSE99date,
  publisher =    "Association for Computing Machinery",
  address =      ICSE99addr,
  year =         1999,
}


@InProceedings{Godefroid97a,
  author =       "P. Godefroid",
  year =         "1997",
  title =        "{VeriSoft}: {A} Tool for the Automatic Analysis of
                 Concurrent Reactive Software",
  booktitle =    "Proc. 9th International Computer Aided Verification
                 Conference",
  pages =        "476--479",
  abstract =     "VeriSoft is a tool for systematically exploring the
                 state spaces of systems composed of several concurrent
                 processes executing arbitrary code written in
                 full-fledged programming languages such as C or C++. It
                 can automatically detect coordination problems between
                 concurrent processes. Specifically, VeriSoft searches
                 the state space of the system for deadlocks, livelocks,
                 divergences, and violations of user-specified
                 assertions. An interactive graphical simulator/debugger
                 is also available for following the execution of all
                 the processes of the concurrent system.",
}





%%%
%%% Temporal invariants
%%%



@Book{IB-B951351,
  author =       "Zohar Manna and Amir Pnueli",
  title =        "Temporal Verification of Reactive Systems: Safety",
  publisher =    "Springer-Verlag",
  address =      "New York",
  year =         "1995",
  ISBN =         "0-387-94459-1",
}

@InProceedings{Drusinsky2000,
  author = 	 "Doron Drusinsky",
  title = 	 "The {Temporal Rover} and the {ATG Rover}",
  booktitle =	 "SPIN Model Checking and Software Verification, 7th
                  International SPIN Workshop",
  pages =	 "323--330",
  year =	 2000,
  address =	 "Stanford, CA, USA",
  month =	 aug # "~30--" # sep # "~1,",
  abstract =
   "The Temporal Rover is a specification based verification tool for
    applications written in C, C++, Java, Verilog and VHDL. The tool combines
    formal specification, using Linear-Time Temporal Logic (LTL) and Metric
    Temporal Logic (MTL), with conventional simulation/execution based
    testing. The Temporal Rover is tailored for the verification of complex
    protocols and reactive systems where behavior is time dependent. The
    Temporal Rover generates executable code from LTL and MTL assertions
    written as comments in the source code. This executable source code is
    compiled and linked as part of the application under test. During
    application execution the generated code validates the executing program
    against the formal temporal specification requirements. Using MTL, real
    time and relative time constraints can be validated. A special code
    generator supports validation of such constraints in the field, on an
    embedded target."
}



@InProceedings{YangE2004:PASTE,
  author = 	 "Jinlin Yang and David Evans",
  title = 	 "Dynamically Inferring Temporal Properties",
  booktitle =	 PASTE2004,
  pages = 	 "23--28",
  year =	 2004,
  address =	 PASTE2004addr,
  month =	 PASTE2004date
}

@InProceedings{YangE2004:ISSRE,
  author = 	 "Jinlin Yang and David Evans",
  title = 	 "Automatically Inferring Temporal Properties for Program Evolution",
  booktitle =	 ISSRE2004,
  pages = {340--351},
  year =	 2004,
  address =	 ISSRE2004addr,
  month =	 ISSRE2004date
}



@InProceedings{YangEBBD2006,
  author = 	 "Jinlin Yang and David Evans and Deepali Bhardwaj and
                  Thirumalesh Bhat and Manuvir Das",
  title = 	 "Perracotta: Mining Temporal {API} Rules from Imperfect Traces",
  booktitle =    ICSE2006,
  pages = 	 "282--291",
  year = 	 2006,
  address = 	 ICSE2006addr,
  month = 	 ICSE2006date,
}



@InProceedings{LoK2006,
  author = 	 "David Lo and Siau-Cheng Khoo",
  title = 	 "{SMArTIC}: Towards building an accurate, robust and scalable specification miner",
  booktitle = FSE2006,
  pages = 	 "265--275",
  year = 	 2006,
  address = 	 FSE2006addr,
  month = 	 FSE2006date,
}


@InProceedings{WeimerN2005,
  author = 	 "Westley Weimer and George Necula",
  title = 	 "Mining temporal specifications for error detection",
  booktitle = TACAS2005,
  pages = 	 "461--476",
  year = 	 2005,
  address = 	 TACAS2005addr,
  month = 	 TACAS2005date,
}





@InProceedings{GabelS2008,
  author = 	 "Mark Gabel and Zhendong Su",
  title = 	 "Javert: fully automatic mining of general temporal properties from dynamic traces",
  booktitle = FSE2008,
  pages = 	 "339--349",
  year = 	 2008,
  address = 	 FSE2008addr,
  month = 	 FSE2008date,
  abstract =
   "Program specifications are important for many tasks during software design,
    development, and maintenance. Among these, temporal specifications are
    particularly useful. They express formal correctness requirements of an
    application's ordering of specific actions and events during execution,
    such as the strict alternation of acquisition and release of locks. Despite
    their importance, temporal specifications are often missing, incomplete, or
    described only informally. Many techniques have been proposed that mine
    such specifications from execution traces or program source code. However,
    existing techniques mine only simple patterns, or they mine a single
    complex pattern that is restricted to a particular set of manually selected
    events. There is no practical, automatic technique that can mine general
    temporal properties from execution traces.
    \par
    In this paper, we present Javert, the first general specification mining
    framework that can learn, fully automatically, complex temporal properties
    from execution traces. The key insight behind Javert is that real, complex
    specifications can be formed by composing instances of small generic
    patterns, such as the alternating pattern ($(ab)*$) and the resource usage
    pattern ($(ab*c)*$). In particular, Javert learns simple generic patterns and
    composes them using sound rules to construct large, complex
    specifications. We have implemented the algorithm in a practical tool and
    conducted an extensive empirical evaluation on several open source software
    projects. Our results are promising; they show that Javert is scalable,
    general, and precise. It discovered many interesting, nontrivial
    specifications in real-world code that are beyond the reach of existing
    automatic techniques.",
}



@Article{BiermannF1972,
  author = 	 "A. W. Biermann and J. A. Feldman",
  title = 	 "On the synthesis of finite-state machines from samples of their behavior",
  journal = 	 ieeetc,
  year = 	 1972,
  volume = 	 "C-21",
  number = 	 6,
  pages = 	 "592--597",
  month = 	 jun,
  abstract =
   "The Nerode realization technique for synthesizing finite-state machines
    from their associated right-invariant equivalence relations is modified to
    give a method for synthesizing machines from finite subsets of their
    input-output behavior. The synthesis procedure includes a parameter that
    one may adjust to obtain machines that represent the desired behavior with
    varying degrees of accuracy and that consequently have varying
    complexities. We discuss some of the uses of the method, including an
    application to a sequential learning problem.",
}






@InProceedings{LoMP2009,
  author = 	 "David Lo and Leonardo Mariani and Mauro Pezz\`{e}",
  authorASCII =	 "David Lo and Leonardo Mariani and Mauro Pezze",
  title = 	 "Automatic steering of behavioral model inference",
  booktitle = FSE2009,
  pages = 	 "345--354",
  year = 	 2009,
  address = 	 FSE2009addr,
  month = 	 FSE2009date,
  abstract =
   "Many testing and analysis techniques use finite state models to validate
    and verify the quality of software systems. Since the specification of such
    models is complex and time-consuming, researchers defined several
    techniques to extract finite state models from code and
    traces. Automatically generating models requires much less effort than
    designing them, and thus eases the verification and validation of large
    software systems. However, when models are inferred automatically, the
    precision of the mining process is critical. Behavioral models mined with
    imprecise processes can include many spurious behaviors, and can thus
    compromise the results of testing and analysis techniques that use those
    models.
    \par
    In this paper, we increase the precision of automata inferred from
    execution traces, by leveraging two learning techniques. We first mine
    execution traces to infer statistically significant temporal properties
    that capture relations between non consecutive and possibly distant
    events. We then incrementally refine a simple initial automaton by merging
    likely equivalent states. We identify equivalent states by analyzing set of
    consecutive events, and we use the inferred temporal properties to evaluate
    whether two equivalent states can be merged or not. We merge equivalent
    states only if the merging does violate any temporal property, since a
    merging that violates temporal properties is likely to introduce an
    imprecise generalization. Our generalization process that preserves
    temporal properties while merging states avoids breaking non-local
    relations, and thus solves one of the major cause of overgeneralized
    models. Thus, mined properties steer the learning of behavioral models. The
    technique is completely automated and generates an automaton that both
    accepts the input traces and satisfies the mined temporal properties.
    \par
    We evaluated our solution by comparing models inferred with and without
    checking mined temporal properties. Results show that our steering process
    can significantly improve precision without noticeable loss of recall.",
  doi = {http://doi.acm.org/10.1145/1595696.1595761},
}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Statically checking invariants (theorem proving)
%%%

@InCollection{PfenningF:deptlp,
  author =       "Frank Pfenning",
  title =        "Dependent Types in Logic Programming",
  booktitle =    "Types in Logic Programming",
  editor =       "Frank Pfenning",
  publisher =    "MIT Press",
  address =      "Cambridge, MA",
  chapter =      "10",
  pages =        "285--311",
  year =         "1992",
  keywords =     "LF, Elf",
}



@Misc{PREfix,
  key = 	 "PREfix",
  title = 	 "{PREfix/Enterprise}",
  howpublished = "\url{www.intrinsa.com}",
  year = 	 1999
}


@Article{BushPS2000,
  author = 	 "William R. Bush and Jonathan D. Pincus and David J. Sielaff",
  title = 	 "A static analyzer for finding dynamic programming errors",
  journal = 	 SPE,
  year = 	 2000,
  volume =	 30,
  number =	 7,
  pages =	 "775--802",
  month =	 jun
}



@InProceedings{dwyer-sigsoft94,
  author =       "Matthew B. Dwyer and Lori A. Clarke",
  title =        "Data Flow Analysis for Verifying Properties of
                 Concurrent Programs",
  booktitle =    FSE94,
  pages =        "62--75",
  address =      FSE94addr,
  month =        FSE94date,
  year =         "1994",
  abstract =     "In this paper we present an approach, based on data
                 flow analysis, that can provide cost-effective analysis
                 of concurrent programs with respect to explicitly
                 stated correctness properties. Using this approach, a
                 developer specifies a property of a concurrent program
                 as a pattern of selected program events and asks the
                 analysis to verify that all or no program executions
                 satisfy the given property. We have developed a family
                 of polynomial-time, conservative data flow analysis
                 algorithms that support reasoning about these
                 questions. To overcome the traditional inaccuracies of
                 static analysis, we have also developed a range of
                 techniques for improving the accuracy of the analysis
                 results. One strength of our approach is the
                 flexibility allowed in choosing and combining these
                 techniques so as to increase accuracy without making
                 analysis time impractical. We have implemented a
                 prototype toolset that automates the analysis for
                 programs with explicit tasking and rendezvous style
                 communication. We present preliminary experimental
                 results using this toolset.",
}


@InProceedings{ICSE97*594,
  author =       "Gleb Naumovich and Lori A. Clarke and Leon J.
                 Osterweil and Matthew B. Dwyer",
  title =        "Verification of Concurrent Software with {FLAVERS}",
  pages =        "594--595",
  booktitle =    ICSE97,
  address =      ICSE97addr,
  month =        ICSE97date,
  year =         "1997",
}




@Article{CobleighCO2002,
  author = 	 "Jamieson M. Cobleigh and Lori A. Clarke and Leon J. Osterweil",
  title = 	 "{FLAVERS}:  A finite state verification technique for
                  software systems",
  journal = 	 "IBM Systems Journal",
  year = 	 "2002",
  volume = 	 "41",
  number = 	 "1",
  pages = 	 "140--165",
  abstract =
   "Software systems are increasing in size and complexity and, subsequently,
    are becoming ever more difficult to validate. Finite state verification
    (FSV) has been gaining credibility and attention as an alternative to
    testing and to formal verification approaches based on theorem
    proving. There has recently been a great deal of excitement about the
    potential for FSV approaches to prove properties about hardware
    descriptions but, for the most part, these approaches do not scale
    adequately to handle the complexity usually found in software. In this
    paper, we describe an FSV approach that creates a compact and
    conservative, but imprecise, model of the system being analyzed, and then
    assists the analyst in adding additional details as guided by previous
    analysis results. This paper describes this approach and a prototype
    implementation called FLAVERS, presents a detailed example, and then
    provides some experimental results demonstrating scalability."
}

@InProceedings{NeculaL96,
  author = 	 {George C. Necula and Peter Lee},
  title = 	 {Safe Kernel Extensions Without Run-Time Checking},
  booktitle = 	 OSDI96,
  year =	 1996,
  pages =        "229--243",
  address =	 OSDI96addr,
  month =	 OSDI96date,
}

@InProceedings{PLDI::NeculaL1998,
  title =        "The Design and Implementation of a Certifying
                 Compiler",
  author =       "George C. Necula and Peter Lee",
  booktitle =    PLDI98,
  address =      pldi98addr,
  month =        pldi98date,
  year =         "1998",
  pages =        "333--344",
}

@InProceedings{Appel2001,
  author = 	 {Andrew W. Appel},
  title = 	 {Foundational Proof-Carrying Code},
  booktitle = 	 LICS2001,
  address =      LICS2001addr,
  year =	 2001,
  pages =        "247--257",
  month =	 LICS2001date,
}

@InProceedings{MichaelA2000,
  author = 	 {Neophytos G. Michael and Andrew W. Appel},
  title = 	 {Machine Instruction Syntax and Semantics in Higher Order Logic},
  booktitle = 	 CADE2000,
  year =	 2000,
  pages =        "7--24",
  month =	 CADE2000date,
  address =      CADE2000addr,
}

@InProceedings{ChangCNS2005,
  author = 	 {Bor-Yuh Evan Chang and Adam Chlipala and George C. Necula and Robert  R. Schneck},
  title = 	 {The {Open} {Verifier} Framework for Foundational Verifiers},
  booktitle = 	 POPL2005,
  year =	 2005,
  address =	 POPL2005addr,
  month =	 POPL2005date,
  pages =        "1--12",
}

@InProceedings{JacobsvdBHvBHT98,
  author = 	 "Bart Jacobs and Joachim {van den Berg} and Marieke
		  Huisman and Martijn {van Berkum} and Ulrich Hensel and
		  Hendrik Tews",
  title = 	 "Reasoning about {Java} Classes",
  booktitle = 	 OOPSLA98,
  pages =        "329--340",
  year =	 1998,
  address = 	 OOPSLA98addr,
  month =	 OOPSLA98date
}




@InProceedings{ESOP::HenselHJT1998,
  title =        "Reasoning about Classes in Object-Oriented Languages:
                 Logical Models and Tools",
  author =       "Ulrich Hensel and Marieke Huisman and Bart Jacobs and
                 Hendrik Tews",
  booktitle =    "Programming Languages and Systems---{ESOP}'98, 7th
                 European Symposium on Programming",
  editor =       "Chris Hankin",
  address =      "Lisbon, Portugal",
  month =        "28~" # mar # "--4~" # apr,
  year =         "1998",
  series =       "Lecture Notes in Computer Science",
  volume =       "1381",
  publisher =    "Springer",
  ISBN =         "ISBN 3-540-64302-8",
  pages =        "105--121",
}


@Article{HuismanJvdB2001,
  author = 	 "Marieke Huisman and Bart P.F. Jacobs and Joachim A.G.M. {van den Berg}",
  title = 	 "A Case Study in Class Library Verification: {Java}'s {V}ector Class",
  journal = 	 "International Journal on Software Tools for Technlogy
		  Transfer",
  year = 	 2001,
  volume =	 3,
  number =	 3,
  pages =	 "332--352",
  OPTmonth = 	 "",
  URL =          "http://dx.doi.org/10.1007/s100090100047",
  abstract =     "This paper presents a verification of an invariant
		  property for the Vector class from Java's standard
		  library (API). The property says (essentially) that the
		  actual size of a vector is less than or equal to its
		  capacity. It is shown that this ``safety'' or ``data
		  integrity'' property is maintained by all methods of the
		  Vector class, and that it holds for all objects created
		  by the constructors of the Vector class. The verification
		  of the Vector class invariant is done with the proof tool
		  PVS. It is based on a semantics of Java in higher order
		  logic. The latter is incorporated in a special purpose
		  compiler, the LOOP tool, which translates Java classes
		  into logical theories. It has been applied to the Vector
		  class for this case study. The actual verification takes
		  into account the object-oriented character of Java:
		  (non-final) methods may always be overridden, so that one
		  cannot rely on a particular implementation. Instead, one
		  has to reason from method specifications in such
		  cases. This project demonstrates the feasibility of
		  tool-assisted verification of non-trivial properties for
		  non-trivial Java classes."
}


@Article{Kaufmann:1997:IST,
  author =       "Matt Kaufmann and J Strother Moore",
  title =        "An Industrial Strength Theorem Prover for a Logic
                 Based on {Common Lisp}",
  journal =      TSE,
  volume =       23,
  number =       4,
  pages =        "203--213",
  month =        apr,
  year =         1997,
  coden =        "IESEDJ",
  ISSN =         "0098-5589",
  bibdate =      "Wed Aug 6 18:51:34 MDT 1997",
}

@InProceedings{BrKM96,
  author =       "B. Brock and M. Kaufmann and J S. Moore",
  title =        "{ACL2} Theorems about commercial microprocessors",
  booktitle =    "First international conference on formal methods in
                 computer-aided design",
  year =         "1996",
  OMITeditor =       "{M. Srivas} and {A. Camilleri}",
  pages =        "275--293",
  volume =       "1166",
  series =       "Lecture Notes in Computer Science",
  publisher =    "Springer Verlag",
  address =      "Palo Alto, CA, USA",
  month =        nov,
  key =          "BrKM96",
}

@article{BoyerY96,
 author = {Robert S. Boyer and Yuan Yu},
 title = {Automated proofs of object code for a widely used microprocessor},
 journal = JACM,
 volume = {43},
 number = {1},
 year = {1996}
}

@Book{BoyerM97,
  author = 	 "Robert S. Boyer and J Strother Moore",
  ALTeditor = 	 "",
  title = 	 "A Computational Logic Handbook",
  publisher = 	 "Academic Press",
  year = 	 1997,
  OPTkey = 	 "",
  OPTvolume = 	 "",
  OPTnumber = 	 "",
  OPTseries = 	 "",
  OPTaddress = 	 "",
  edition = 	 "2nd",
  OPTmonth = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}



@InProceedings{pldi97*226,
  author =       "Jakob L. Jensen and Michael E. J{\o}rgensen and
                 Michael I. Schwartzbach and Nils Klarlund",
  title =        "Automatic Verification of Pointer Programs using
                 Monadic Second-Order Logic",
  pages =        "226--234",
  ISSN =         "0362-1340",
  booktitle =    PLDI97,
  address =      PLDI97addr,
  month =        PLDI97date,
  year =         "1997",
}


@InProceedings{Sagiv:1999:PSA,
  author =       "Mooly Sagiv and Thomas Reps and Reinhard Wilhelm",
  title =        "Parametric shape analysis via 3-valued logic",
  booktitle =    POPL99,
  address =      popl99addr,
  year =         1999,
  month =        POPL99date,
  ISBN =         "????",
  pages =        "105--118",
  bibdate =      "Mon May 3 12:58:58 MDT 1999",
  url =          "http://www.acm.org:80/pubs/citations/proceedings/plan/292540/p105-sagiv/",
  keywords =     "algorithms; measurement",
  subject =      "{\bf F.4.1} Theory of Computation, MATHEMATICAL LOGIC
                 AND FORMAL LANGUAGES, Mathematical Logic, Logic and
                 constraint programming. {\bf I.2.3} Computing
                 Methodologies, ARTIFICIAL INTELLIGENCE, Deduction and
                 Theorem Proving, Logic programming. {\bf G.4}
                 Mathematics of Computing, MATHEMATICAL SOFTWARE,
                 Algorithm design and analysis. {\bf F.3.2} Theory of
                 Computation, LOGICS AND MEANINGS OF PROGRAMS, Semantics
                 of Programming Languages.",
}




@INPROCEEDINGS{Rushby99:SPIN,
    AUTHOR = {John Rushby},
    TITLE = {Integrated Formal Verification: Using Model
        Checking With Automated Abstraction, Invariant Generation, and
        Theorem Proving},
    BOOKTITLE = {Fifth International {SPIN} Workshop},
    YEAR = 1999,
    ADDRESS = {Trento, Italy},
    MONTH = jun,
}


@InProceedings{BenRepSag99,
  author =       "Michael Benedikt and Thomas Reps and Mooly Sagiv",
  title =        "A Decidable Logic for Describing Linked Data Structures",
  booktitle =    "ESOP: 8th European Symposium on Programming",
  year =         "1999",
  abstract =
   "This paper aims to provide a better formalism for describing properties of
    linked data structures (e.g., lists, trees, graphs), as well as the
    intermediate states that arise when such structures are destructively
    updated. The paper defines a new logic that is suitable for these purposes
    (called Lr, for ``logic of reachability expressions''). We show that Lr is
    decidable, and explain how Lr relates to two previously defined
    structure-description formalisms (``path matrices'' and ``static shape
    graphs'') by showing how an arbitrary shape descriptor from each of these
    formalisms can be translated into an Lr formula.",
}





@InProceedings{BjornerBCCKMSU96,
  author = 	 "Nikolaj Bjorner and Anca Browne and Eddie Chang and
                  Michael Colon and Arjun Kapur and Zohar Manna and Henny
                  Sipma and Tomas Uribe",
  title = 	 "{STeP}: Deductive-algorithmic verification of reactive
                  and real-time systems",
  booktitle =    CAV96,
  pages = 	 "415--418",
  year = 	 1996,
  address = 	 CAV96addr,
  month = 	 CAV96date
}

% MannaABBCCdADSU94
@TechReport{STeP,
  author = 	 "Zohar Manna and Anuchit Anuchitanukul and Nikolaj Bjorner
                  and Anca Browne and Edward Chang and Michael Colon and
                  Luca de Alfaro and Harish Devarajan and Henny Sipma and
                  Tomas Uribe",
  title = 	 "{STeP}: The {Stanford} {Temporal} {Prover}",
  institution =  "Computer Science Department, Stanford University",
  year = 	 1994,
  number =	 "STAN-CS-TR-94-1518",
  OPTaddress = 	 "",
  month =	 jun
}



@InProceedings{RajanSS95,
  author = 	 "S. Rajan and N. Shankar and M. K. Srivas",
  title = 	 "An Integration of Model Checking with Automated Proof Checking",
  booktitle =	 CAV95,
  pages =	 "84--97",
  year =	 1995,
  address =	 CAV95addr,
  month =        CAV95date,
}


@InProceedings{Hungar93,
  author = 	 "Hardi Hungar",
  title = 	 "Combining model checking and theorem proving to verify parallel processes",
  booktitle =	 "Computer Aided Verification, CAV' 93",
  pages =	 "154--165",
  year =	 1993
}



@InProceedings{Shankar2000,
  author = 	 "Natarajan Shankar",
  title = 	 "Combining theorem proving and model checking through
                  symbolic analysis",
  booktitle =	 CONCUR2000,
  year =	 2000,
  address =	 CONCUR2000addr,
  month =	 CONCUR2000date
}


@Book{Isabelle-tutorial,
  author        = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
  title         = {Isabelle/HOL --- A Proof Assistant for Higher-Order Logic},
  publisher     = {Springer},
  series        = {LNCS},
  volume        = 2283,
  year          = 2002}


%%%
%%% ESC
%%%

@InProceedings{Detlefs96,
  author = 	 "David L. Detlefs",
  title = 	 "An overview of the {E}xtended {S}tatic {C}hecking system",
  booktitle = 	 "Proceedings of the First Workshop on Formal Methods in
		  Software Practice",
  pages =	 "1--9",
  year =	 1996,
  month =	 jan,
}


@InProceedings{LeinoN98,
  author = 	 "K. Rustan M. Leino and Greg Nelson",
  title = 	 "An extended static checker for {M}odula-3",
  booktitle = 	 CC98,
  pages =	 "302--305",
  year =	 1998,
  month =	 apr,
  address =      CC98addr,
}

@TechReport{Detlefs-etal98,
  author =       "David L. Detlefs and K. Rustan M. Leino and Greg
                 Nelson and James B. Saxe",
  title =        "Extended Static Checking",
  institution =  "Compaq Systems Research Center",
  year =         "1998",
  key =          "Detlefs, {\it et al.}",
  type =         "SRC Research Report",
  number =       "159",
  OPTaddress =      "130 Lytton Ave., Palo Alto",
  month =        dec # "~18,",
  annote =       "48 references.",
}


@TechReport{DetlefsLN98,
  author =       "David L. Detlefs and K. Rustan M. Leino and Greg Nelson",
  title =        "Wrestling with rep exposure",
  institution =  "Digital Systems Research Center",
  year =         1998,
  type =         "SRC Research Report",
  number =       156,
  address =      "130 Lytton Ave., Palo Alto, CA",
  month =        jul # "~29,",
}





@InProceedings{LeinoM2004,
  author = 	 "K. Rustan M. Leino and Peter M{\"u}ller",
  title = 	 "Object invariants in dynamic contexts",
  booktitle =	 ECOOP2004,
  pages =	 "491--",
  year =	 2004,
  address =	 ECOOP2004addr,
  month =	 ECOOP2004date,
  abstract =
   "Object invariants describe the consistency of object-oriented data
    structures and are central to reasoning about the correctness of
    object-oriented software. Yet, reasoning about object invariants in the
    presence of object references, methods, and subclassing is difficult. This
    paper describes a methodology for specifying and verifying object-oriented
    programs, using object invariants to specify the consistency of data and
    using ownership to organize objects into contexts. The novelty is that
    contexts can be dynamic: there is no bound on the number of objects in a
    context and objects can be transferred between contexts. The invariant of
    an object is allowed to depend on the fields of the object, on the fields
    of all objects in transitively-owned contexts, and on fields of objects
    reachable via given sequences of fields. With these invariants, one can
    describe a large variety of properties, including properties of cyclic data
    structures. Object invariants can be declared in or near the classes whose
    fields they depend on, not necessarily in the class of an owning
    object. The methodology is designed to allow modular reasoning, even in the
    presence of subclasses, and is proved sound."
}




@Book{Muller2002,
  author = 	 "Peter M{\"u}ller",
  authorASCII =	 "Peter Muller",
  title = 	 "Modular Specification and Verification of Object-Oriented Programs",
  publisher = 	 "Springer-Verlag",
  year = 	 2002,
  number = 	 2262,
  series = 	 LNCS,
}


@Article{MullerPHL2006,
  author = 	 "Peter M{\"u}ller and Arnd Poetzsch-Heffter and Gary T. Leavens",
  authorASCII = 	 "Peter Muller",
  title = 	 "Modular invariants for layered object structures",
  journal = 	 SCP,
  year = 	 2006,
  volume = 	 62,
  pages = 	 "253--286",
  month = 	 oct,
}


@InProceedings{JacobsPLS2005,
  author = 	 "Bart Jacobs and Frank Piessens and K. Rustan M. Leino and Wolfram Schulte",
  title = 	 "Safe concurrency for aggregate objects with invariants",
  booktitle = SEFM2005,
  pages = 	 "137--147",
  year = 	 2005,
  address = 	 SEFM2005addr,
  month = 	 SEFM2005date,
}


@TechReport{LeinoNS2000:ESC,
  author = 	 "K. Rustan M. Leino and Greg Nelson and James B. Saxe",
  title = 	 "{ESC}/{Java} User's Manual",
  institution =  "Compaq Systems Research Center",
  year = 	 2000,
  number =	 "2000-002",
  address =	 "Palo Alto, California",
  month =	 oct # "~12,"
}


@TechReport{Seres99,
  author = 	 "Seres, Silvija",
  title = 	 "{ESC}/{Java} Quick Reference",
  institution =  "Compaq Systems Research Center",
  year = 	 2000,
  number =	 "2000-004",
  month =	 oct # "~12,",
  note =	 "Revised by K. Rustan M. Leino and James B. Saxe, October 2000"
}


@Article{FlanaganJL01,
  author = 	 "Cormac Flanagan and Rajeev Joshi and K. Rustan M. Leino",
  title = 	 "Annotation inference for modular checkers",
  journal = 	 "Information Processing Letters",
  year = 	 2001,
  volume =	 2,
  number =	 4,
  pages =	 "97--108",
  month =	 feb
}


@InProceedings{FlanaganL2001:Houdini,
  author = 	 "Cormac Flanagan and K. Rustan M. Leino",
  title = 	 "Houdini, an annotation assistant for {ESC/Java}",
  titleASCII = 	 "Houdini, an annotation assistant for ESC/Java",
  booktitle = 	 FME01,
  pages =	 "500--517",
  year =	 2001,
  OMITseries =	 LNCS,
  OMITvolume =	 2021,
  address =	 FME01addr,
  OMITpublisher = "Springer",
  month =	 FME01date,
}


@Article{LeinoMS2005,
  author = 	 "K. Rustan M. Leino and Todd Millstein and James B. Saxe",
  title = 	 "Generating error traces from verification-condition counterexamples",
  journal = 	 scp,
  year = 	 2005,
  volume = 	 55,
  number = 	 "1--3",
  pages = 	 "209--226",
  month = 	 mar,
  abstract =
   "A technique for finding errors in computer programs is to translate a
   given program and its correctness criteria into a logical formula in
   mathematics and then let an automatic theorem prover check the validity
   of the formula. This approach gives the tool designer much flexibility
   in which conditions are to be checked, and the technique can reason
   about as many aspects of the given program as the underlying theorem
   prover allows. This paper describes a method for reconstructing, from
   the theorem prover's mathematical output, error traces that lead to the
   program errors that the theorem prover discovers.",
}



@InProceedings{FlanaganS01,
  author =       "Cormac Flanagan and James B. Saxe",
  title =        "Avoiding Exponential Explosion: Generating Compact
                 Verification Conditions",
  booktitle =    POPL2001,
  address =      POPL2001addr,
  month =        POPL2001date,
  year =         2001,
  pages =        "193--205",
}



@PhdThesis{Nelson80,
  author = 	 "Greg Nelson",
  title = 	 "Techniques for Program Verification",
  school = 	 "Stanford University",
  year = 	 1980,
  address =	 "Palo Alto, CA",
  note =	 "Also published as Xerox Palo Alto Research Center Research Report CSL-81-10."
}


@TechReport{DetlefsNS2003,
  author = 	 "David Detlefs and Greg Nelson and James B. Saxe",
  title = 	 "Simplify: A theorem prover for program checking",
  institution =  "HP Labs",
  year = 	 2003,
  number =	 "HPL-2003-148",
  address =	 "Palo Alto, CA",
  month =	 jul # "~23,",
  abstract =
   "This paper provides a detailed description of the automatic theorem prover
    Simplify, which is the proof engine of the Extended Static Checkers
    ESC/Java and ESC/Modula-3. Simplify uses the Nelson-Oppen method to combine
    decision procedures for several important theories, and also employs a
    matcher to reason about quantifiers. Instead of conventional matching in a
    term DAG, Simplify matches up to equivalence in an E- graph, which detects
    many relevant pattern instances that would be missed by the conventional
    approach. The paper describes two techniques, labels and counterexample
    contexts, for helping the user to determine the reason that a false
    conjecture is false. The paper includes detailed performance figures on
    conjectures derived from realistic program-checking problems.",
}


@InProceedings{DeMouraB2008,
  author = 	 "De Moura, Leonardo and Bj{\o}rner, Nikolaj",
  authorASCII = 	 "Leonardo De Moura and Nikolaj Bjorner",
  title = 	 "Z3: An efficient {SMT} solver",
  booktitle = TACAS2008,
  pages = 	 "337--340",
  year = 	 2008,
  address = 	 TACAS2008addr,
  month = 	 TACAS2008date,
}


@InProceedings{FlanaganLLNSS02,
  author = 	 "Cormac Flanagan and K. Rustan M. Leino and Mark
                  Lillibridge and Greg Nelson and James B. Saxe and Raymie
                  Stata",
  title = 	 "Extended static checking for {Java}",
  booktitle =	 PLDI2002,
  pages =	 "234--245",
  year =	 2002,
  address =	 PLDI2002addr,
  month =	 PLDI2002date,
  abstract =
   "Software development and maintenance are costly endeavors. The cost can be
    reduced if more software defects are detected earlier in the development
    cycle. This paper introduces the Extended Static Checker for Java
    (ESC/Java), an experimental compile-time program checker that finds common
    programming errors. The checker is powered by verification-condition
    generation and automatic theorem-proving techniques. It provides
    programmers with a simple annotation language with which programmer design
    decisions can be expressed formally.  ESC/Java examines the annotated
    software and warns of inconsistencies between the design decisions recorded
    in the annotations and the actual code, and also warns of potential runtime
    errors in the code. This paper gives an overview of the checker
    architecture and annotation language and describes our experience applying
    the checker to tens of thousands of lines of Java programs."
}


@InProceedings{CokK2004,
  author = 	 "David R. Cok and Joseph R. Kiniry",
  title = 	 "{ESC/Java2}: Uniting {ESC/Java} and {JML}",
  fulltitle = 	 "{ESC/Java2}: Uniting {ESC/Java} and {JML}: Progress and
                  issues in building and using {ESC/Java2}, including a
                  case study involving the use of the tool to verify
                  portions of an internet voting tally system",
  booktitle =	 "Construction and Analysis of Safe, Secure, and
                  Interoperable Smart Devices,
                  CASSIS 2004, Revised Selected Papers",
  pages =	 "108--128",
  year =	 2004,
  conferenceyear=2004,
  proceedingsyear=2005,
  volume =	 3362,
  series =	 LNCS,
  address =	 "Marseille, France",
  month =	 mar # "~10--13,",
  abstract =
   "The ESC/Java tool was a lauded advance in effective static checking of
    realistic Java programs, but has become out-of-date with respect to Java
    and the Java Modeling Language (JML). The ESC/Java2 project, whose progress
    is described in this paper, builds on the final release of ESC/Java from
    DEC/SRC in several ways. It parses all of JML, thus can be used with the
    growing body of JML-annotated Java code; it has additional static checking
    capabilities; and it has been designed, constructed, and documented in such
    a way as to improve the tool's usability to both users and researchers. It
    is intended that ESC/Java2 be used for further research in, and
    larger-scale case studies of, annotation and verification, and for studies
    in programmer productivity that may result from its integration with other
    tools that work with JML and Java. The initial results of the first major
    use of ESC/Java2, that of the verification of parts of the tally subsystem
    of the Dutch Internet voting system are presented as well.",
}


@InProceedings{Chess2002,
  author = 	 "Brian V. Chess",
  title = 	 "Improving computer security using {Extended} {Static}
                  {Checking}",
  booktitle =	 "IEEE Symposium on Security and Privacy",
  pages =	 "160--173",
  year =	 2002,
  address =	 "Berkeley, California",
  month =	 may # "~12--15,",
  abstract =
   "We describe a method for finding security flaws in source code by way
    of static analysis. The method is notable because it allows a user to
    specify a wide range of security properties while also leveraging a set
    of predefined common flaws. It works by using an automated theorem
    prover to analyze verification conditions generated from C source code
    and a set of specifications that define security properties. We
    demonstrate that the method can be used to identify real
    vulnerabilities in real programs."
}


@InProceedings{BarnettLS2004,
  author = 	 "Mike Barnett and K. Rustan M. Leino and Wolfram Schulte",
  title = 	 "The {Spec\#} programming system:  An overview",
  titleASCII = 	 "The Spec# programming system:  An overview",
  booktitle = CASSIS2004,
  pages = 	 "49--69",
  year = 	 2004,
  address = 	 CASSIS2004addr,
  month = 	 CASSIS2004date,
  abstract =
   "The Spec\# programming system is a new attempt at a more cost effective way
    to develop and maintain high-quality software. This paper describes the
    goals and architecture of the Spec\# programming system, consisting of the
    object-oriented Spec\# programming language, the Spec\# compiler, and the
    Boogie static program verifier. The language includes constructs for
    writing specifications that capture programmer intentions about how methods
    and data are to be used, the compiler emits run-time checks to enforce
    these specifications, and the verifier can check the consistency between a
    program and its specifications.",
}

@Article{BarnettFLMSV2010,
  author = 	 "Barnett, Mike and F{\"a}hndrich, Manuel and Leino, K. Rustan M. and M{\"u}ller, Peter and Schulte, Wolfram and Venter, Herman",
  authorASCII = 	 "Barnett, Mike and Fahndrich, Manuel and Leino, K. Rustan M. and Muller, Peter and Schulte, Wolfram and Venter, Herman",
  authorASCII2 = 	 "Barnett, Mike and Faehndrich, Manuel and Leino, K. Rustan M. and Mueller, Peter and Schulte, Wolfram and Venter, Herman",
  title = 	 "Specification and verification: The {Spec\#} experience",
  journal = 	 CACM,
  year = 	 2011,
  volume = 	 54,
  number = 	 6,
  pages = 	 "81--91",
  month = 	 jun,
}




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% JML
%%%

@TechReport{Leavens-Baker-Ruby01,
  key =          "Leavens \& Baker \& Ruby",
  author =       "Gary T. Leavens and Albert L. Baker and Clyde Ruby",
  title =        "Preliminary Design of {JML}: {A} Behavioral Interface
                 Specification Language for {Java}",
  institution =  "Iowa State University, Department of Computer
                 Science",
  year =         "2000",
  number =       "98-06m",
  month =        feb,
  url =          "ftp://ftp.cs.iastate.edu/pub/techreports/TR98-06/TR.ps.gz",
  annote =       "56 references.",
  note =         "See \url{www.cs.iastate.edu/~leavens/JML.html}.",
}

@InCollection{Leavens-Baker-Ruby99b,
  key =          "Leavens \& Baker \& Ruby",
  author =       "Gary T. Leavens and Albert L. Baker and Clyde Ruby",
  title =        "{JML}: {A} Notation for Detailed Design",
  booktitle =    "Behavioral Specifications of Businesses and Systems",
  IGNOREeditor =       "Haim Kilov and Bernhard Rumpe and Ian Simmonds",
  year =         "1999",
  publisher =    "Kluwer Academic Publishers",
  address =      "Boston",
  pages =        "175--188",
  annote =       "36 references.",
}

@InProceedings{Leavens-etal00,
  key =          "Leavens, {\em et al.}",
  author =       "Gary T. Leavens and K. Rustan M. Leino and Erik Poll
                 and Clyde Ruby and Bart Jacobs",
  title =        "{JML}: notations and tools supporting detailed design
                 in {Java}",
  booktitle =    OOPSLA2000companion,
  year =         "2000",
  month =        OOPSLA2000date,
  pages =        "105--106",
  address =      OOPSLA2000addr,
  OMITorganization = "ACM",
  url =          "ftp://ftp.cs.iastate.edu/pub/techreports/TR00-15/TR.ps.gz",
  annote =       "Abstract of an OOPSLA 2000 poster. 14 references.",
}


@Article{LeavensBR2006:JML,
  author = 	 "Gary T. Leavens and Albert L. Baker and Clyde Ruby",
  title = 	 "Preliminary design of {JML}: A behavioral interface specification language for {Java}",
  journal = 	 SEN,
  year = 	 2006,
  volume = 	 31,
  number = 	 3,
  NOpages = 	 "published online",
  month = 	 mar,
  abstract =
   "JML is a behavioral interface specification language tailored to Java(TM).
    Besides pre- and postconditions, it also allows assertions to be
    intermixed with Java code; these aid verification and debugging.  JML is
    designed to be used by working software engineers; to do this it follows
    Eiffel in using Java expressions in assertions.  JML combines this idea
    from Eiffel with the model-based approach to specifications, typified by
    VDM and Larch, which results in greater expressiveness.  Other
    expressiveness advantages over Eiffel include quantifiers,
    specification-only variables, and frame conditions.This paper discusses
    the goals of JML, the overall approach, and describes the basic features
    of the language through examples.  It is intended for readers who have
    some familiarity with both Java and behavioral specification using pre-
    and postconditions.",
  doi = {http://doi.acm.org/10.1145/1127878.1127884},
}



@InProceedings{CatanoH03,
  author = 	 "N{\'e}stor Cata{\~n}o and Marieke Huisman",
  authorASCII =	 "Nestor Catano and Marieke Huisman",
  title = 	 "Chase:  a static checker for {JML}'s {\em assignable} clause",
  booktitle =	 VMCAI2003,
  pages = 	 "26--40",
  year = 	 2003,
  address =	 VMCAI2003addr,
  month =	 VMCAI2003date
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Related tools
%%%



@TechReport{OCallahan99:valuepoint,
  author = 	 "Robert O'Callahan",
  title = 	 "The Design of Program Analysis Services",
  institution =  "Carnegie Mellon University School of Computer Science",
  year = 	 1999,
  number =	 "CMU-CS-99-135",
  address =	 "Pittsburgh, PA",
  month =	 jun
}

@TechReport{OCallahan99:semi,
  author = 	 "Robert O'Callahan",
  title = 	 "Optimizing a solver of polymorphism constraints: {SEMI}",
  institution =  "Carnegie Mellon University School of Computer Science",
  year = 	 1999,
  number =	 "CMU-CS-99-135",
  address =	 "Pittsburgh, PA",
  month =	 jun
}




@PhdThesis{OCallahan2001,
  author = 	 "Robert O'Callahan",
  title = 	 "Generalized Aliasing as a Basis for Program Analysis Tools",
  school = 	 "Carnegie-Mellon University",
  year = 	 2001,
  address =	 "Pittsburgh, PA",
  month =	 may
}




@InProceedings{AmmonsBL2002,
  author =       "Glenn Ammons and Rastislav Bod{\'\i}k and James R. Larus",
  authorASCII =  "Rastislav Bodik",
  title =        "Mining specifications",
  booktitle =	 POPL2002,
  pages =	 "4--16",
  year =	 2002,
  address =	 POPL2002addr,
  month =	 POPL2002date
}


@InProceedings{ChristodorescuJK2007,
  author = 	 "Mihai Christodorescu and Somesh Jha and Christopher Kruegel",
  title = 	 "Mining specifications of malicious behavior",
  booktitle = FSE2007,
  pages = 	 "5--14",
  year = 	 2007,
  address = 	 FSE2007addr,
  month = 	 FSE2007date,
  abstract =
   "Malware detectors require a specification of malicious behavior.
    Typically, these specifications are manually constructed by investigating
    known malware.  We present an automatic technique to overcome this
    laborious manual process.  Our technique derives such a specification by
    comparing the execution behavior of a known malware against the execution
    behaviors of a set of benign programs.  In other words, we mine the
    malicious behavior present in a known malware that is not present in a set
    of benign programs.  The output of our algorithm can be used by malware
    detectors to detect malware variants.  Since our algorithm provides a
    succinct description of malicious behavior present in a malware, it can
    also be used by security analysts for understanding the malware.  We have
    implemented a prototype based on our algorithm and tested it on several
    malware programs.  Experimental results obtained from our prototype
    indicate that our algorithm is effective in extracting malicious behaviors
    that can be used to detect malware variants.",
}


@InProceedings{ArnoutS01,
  author = 	 "Karine Arnout and Rapha{\"e}l Simon",
  authorASCII =  "Raphaël Simon   Raphael Simon",
  title = 	 "The {.NET} {Contract} {Wizard}: Adding {Design} by
                  {Contract} to languages other than {Eiffel}",
  booktitle =	 TOOLS39,
  pages =	 "14--23",
  year =	 2001,
  address =	 TOOLS39addr,
  month =	 TOOLS39date,
  abstract =
   "Reliability is a key concern in the current state of software
    industry. Producing software without defects is still very
    difficult. Therefore it is crucial to benefit from high level language
    mechanisms such as assertions. Nevertheless contracts are mostly a
    specificity of the Eiffel language. This observation convinced ISE to
    build a new product, the Contract Wizard, which aims at providing .NET
    developers with the ability to add contracts to a .NET assembly
    independently from the .NET language it was initially written in.
    \par
    This paper gives an overview of the existing implementation of Design
    by Contract in various programming languages. It then explains how the
    new ISE contract Wizard works by providing a guided tour of the
    product."
}




@Misc{ArnoutM02,
  author = 	 "Karine Arnout and Bertrand Meyer",
  title = 	 "Extracting implicit contracts from {.NET} components",
  howpublished = "\url{http://se.inf.ethz.ch/people/arnout/work\_in\_progress/contract\_extraction.pdf}",
  month =	 sep # "~13,",
  year =	 2002,
  abstract =
   "Can libraries written without explicit support for Design by Contract
    in the language or the method benefit from a posteriori addition of
    contracts? To help answer this question, we performed an empirical
    study of library classes from the .NET Collections library, which doesn't
    use Design by Contract, to search for unexpressed contracts. This
    article reports on what we have found, and discusses whether the
    results could be used to improve the design of the classes and make
    them easier to learn and use."
}

% There seem to have been a lot of publications of the same work; here are three:




@MastersThesis{Carlos02,
  author = 	 "Cohan Sujay Carlos",
  title = 	 "The elimination of overheads due to type annotations and
                  the identification of candidate refactorings",
  school = 	 "North Carolina State University",
  year = 	 2002,
  address =	 "Raleigh, NC",
  abstract =
   "Refactorings are meaning-preserving transformations of object-oriented
    programs carried out with the aim of improving their design.  Sometimes
    refactorings accomplish just cosmetic improvements.  At other times,
    they make programs easier to modify.  Many system for refactoring
    programs have been described in the literature.
    \par
    The past few years have seen a plethora of object-oriented languages
    that enforce strict static type-checking and use explicit type
    declarations (type annotations).  Type annotations add to the expense
    of modification.  Our first result is a categorization of refactorings
    by their effect on type annotations.
    \par
    In the second part of this thesis, we study a tool that makes it
    easier to change programs with type annotations.  The tool uses type
    inference to automate the management of type annotations.
    \par
    The third part of the thesis concerns the use of type inference tools
    to select candidate refactorings.  In particular, these refactorings
    are recommended when type inconsistencies are found in a program.
    Thus, refactorings and type inference can mutually benefit each other.",
}


@InProceedings{HenkelD2003,
  author = 	 "Johannes Henkel and Amer Diwan",
  title = 	 "Discovering algebraic specifications from {Java} classes",
  booktitle =	 ECOOP2003,
  pages =	 "431--456",
  year =	 2003,
  address =	 ECOOP2003addr,
  month =	 ECOOP2003date,
  abstract =
   "We present and evaluate an automatic tool for extracting algebraic
    specifications from Java classes. Our tool maps a Java class to an
    algebraic signature and then uses the signature to generate a large number
    of terms. The tool evaluates these terms and based on the results of the
    evaluation, it proposes equations. Finally, the tool generalizes equations
    to axioms and eliminates many redundant axioms. Since our tool uses dynamic
    information, it is not guaranteed to be sound or complete. However, we
    manually inspected the axioms generated in our experiments and found them
    all to be correct."
}


@InProceedings{HenkelD2004,
  author = 	 "Johannes Henkel and Amer Diwan",
  title = 	 "A tool for writing and debugging algebraic specifications",
  booktitle =	 ICSE2004,
  pages =	 "449--458",
  year =	 2004,
  address =	 ICSE2004addr,
  month =	 ICSE2004date
}

@Article{NelsonO80,
  author = 	 "Greg Nelson and Derek C. Oppen",
  title = 	 "Fast Decision Procedures Based on Congruence Closure",
  journal = 	 JACM,
  year = 	 1980,
  volume =	 27,
  number =	 2,
  pages =	 "356--364",
  month =	 apr,
  abstract =
   "The notion of the congruence closure of a relation on a graph is defined
    and several algorithms for computing it are surveyed. A simple proof is
    given that the congruence closure algorithm provides a decision procedure
    for the quantifier-free theory of equality. A decision procedure is then
    given for the quantifier-free theory of LISP list structure based on the
    congruence closure algorithm. Both decision procedures determine the
    satisfiability of a conjunction of literals of length n in average time O(n
    log n) using the fastest known congruence closure algorithm. It is also
    shown that if the axiomatization of the theory of list structure is changed
    slightly, the problem of determining the satisfiability of a conjunction of
    literals becomes NP-complete. The decision procedures have been implemented
    in the authors' simplifier for the Stanford Pascal Verifier.",
}



@InProceedings{TillmannCS2006,
  author = 	 "Nikolai Tillmann and Feng Chen and Wolfram Schulte",
  title = 	 "Discovering likely method specifications",
  booktitle = ICFEM2006,
  pages = 	 "717--736",
  year = 	 2006,
  address = 	 ICFEM2006addr,
  month = 	 ICFEM2006date,
}





@TechReport{AgarwalSS2006,
  author = 	 "Rahul Agarwal and Amit Sasturkar and Scott D. Stoller",
  title =	 "Type discovery for {Parameterized} {Race}-{Free} {Java}",
  institution =  "Computer Science Department, SUNY at Stony Brook",
  year = 	 2004,
  number =	 "DAR-04-16",
  month =	 sep,
  abstract =
   "Concurrent programs are notorious for containing data races that are
    difficult to reproduce and diagnose at run-time. This inspired the
    development of type systems that statically ensure the absence of data
    races. Boyapati and Rinard's Parameterized Race Free Java (PRFJ) is an
    extension of Java with such a type system. We give the first complete
    formal presentation of PRFJ; Boyapati and Rinard's paper gives only an
    informal sketch of an important part of the type system, namely, support
    for readonly objects and objects referenced by a unique pointer. We present
    a new method for producing the type annotations needed by the type checker
    to show that a program is race-free. This approach, called type discovery,
    uses a combination of run-time monitoring and static analysis to
    automatically obtain most of the annotations. We study the expressiveness
    of the type system and efficacy of type discovery on several programs. In
    our experiments, type discovery reduced the number of annotations that need
    to be supplied by the programmer to about 1.9 annotations/KLOC. In Boyapati
    and Rinard's experiments, the programmer needed to supply about 25
    annotations/KLOC."
}



@InProceedings{SasturkarAWS2005,
  author = 	 "Amit Sasturkar and Rahul Agarwal and Liqiang Wang and Scott D. Stoller",
  title = 	 "Automated type-based analysis of data races and atomicity",
  booktitle = PPOPP2005,
  pages = 	 "83--94",
  year = 	 2005,
  address = 	 PPOPP2005addr,
  month = 	 PPOPP2005date,
}






@InProceedings{BoshernitsanDS2006,
  author = 	 "Marat Boshernitsan and Roongko Doong and Alberto Savoia",
  title = 	 "From {Daikon} to {Agitator}: Lessons and challenges in building a commercial tool for developer testing",
  booktitle = ISSTA2006,
  pages = 	 "169--179",
  year = 	 2006,
  address = 	 ISSTA2006addr,
  month = 	 ISSTA2006date,
  abstract =
   "Developer testing is of one of the most effective strategies for improving
    the quality of software, reducing its cost, and accelerating its
    development. Despite its widely recognized benefits, developer testing is
    practiced by only a minority of developers. The slow adoption of developer
    testing is primarily due to the lack of tools that automate some of the
    more tedious and time-consuming aspects of this practice.  Motivated by the
    need for a solution, and helped and inspired by the research in software
    test automation, we created a developer testing tool based on software
    agitation.  Software agitation is a testing technique that combines the
    results of research in test-input generation and dynamic invariant
    detection. We implemented software agitation in a commercial testing tool
    called Agitator. This paper gives a high-level overview of software
    agitation and its implementation in Agitator, focusing on the lessons and
    challenges of leveraging and applying the results of research to the
    implementation of a commercial product.",
}


@InProceedings{FeiM2006,
  author = 	 "Long Fei and Samuel P. Midkiff",
  title = 	 "Artemis: Practical runtime monitoring of applications for execution anomalies",
  booktitle =    PLDI2006,
  pages = 	 "84--95",
  year = 	 2006,
  address = 	 PLDI2006addr,
  month = 	 PLDI2006date,
}




@InProceedings{CsallnerTS2008,
  author = 	 "Christoph Csallner and Nikolai Tillmann and Yannis Smaragdakis",
  title = 	 "{DySy}: Dynamic symbolic execution for invariant inference",
  booktitle =    ICSE2008,
  pages = 	 "281--290",
  year = 	 2008,
  address = 	 ICSE2008addr,
  month = 	 ICSE2008date,
  abstract =
   "Dynamically discovering likely program invariants from concrete test
    executions has emerged as a highly promising software engineering
    technique. Dynamic invariant inference has the advantage of succinctly
    summarizing both ``expected'' program inputs and the subset of program
    behaviors that is normal under those inputs. In this paper, we introduce
    a technique that can drastically increase the relevance of inferred
    invariants, or reduce the size of the test suite required to obtain good
    invariants. Instead of falsifying invariants produced by pre-set
    patterns, we determine likely program invariants by combining the
    concrete execution of actual test cases with a simultaneous symbolic
    execution of the same tests. The symbolic execution produces abstract
    conditions over program variables that the concrete tests satisfy during
    their execution. In this way, we obtain the benefits of dynamic
    inference tools like Daikon: the inferred invariants correspond to the
    observed program behaviors. At the same time, however, our inferred
    invariants are much more suited to the program at hand than Daikon's
    hard-coded invariant patterns. The symbolic invariants are literally
    derived from the program text itself, with appropriate value
    substitutions as dictated by symbolic execution. We implemented our
    technique in the DySy tool, which utilizes a powerful symbolic execution
    and simplification engine. The results confirm the benefits of our
    approach. In Daikon's prime example benchmark, we infer the majority of
    the interesting Daikon invariants, while eliminating invariants that a
    human user is likely to consider irrelevant.",
  usesDaikon = 1,
  downloads = "http://www.cs.umass.edu/~yannis/dysy-icse08.pdf PDF",
}



@InProceedings{WienerKV2008,
  author = 	 "Roni Wiener and Gila Kamhi and Moshe Vardi",
  title = 	 "Intelligate: Scalable dynamic invariant learning for power reduction",
  booktitle =    PATMOS2008,
  NEEDpages = 	 "*",
  year = 	 2008,
  address = 	 PATMOS2008addr,
  month = 	 PATMOS2008date,
  abstract =
   "In this work we introduce an enhanced methodology to detect dynamic
    invariants from a power-benchmark simulation trace database. The method is
    scalable for the application of clock-gating extraction on industrial
    designs. Our approach focuses upon dynamic simulation data as the main
    source for detection of opportunities for power reduction. Experimental
    results demonstrate our ability to learn accurate clock-gating functions
    from simulation traces and achieve significant power reduction (in the
    range of 30\%-70\% of a clock net's power) on industrial micro-processor
    designs.",
}
































@InProceedings{ClaessenSH2010,
  author = 	 "Koen Claessen and Nicholas Smallbone and John Hughes",
  title = 	 "QuickSpec: Guessing Formal Specifications Using Testing",
  booktitle = TAP2010,
  NEEDpages = 	 "*",
  year = 	 2010,
  address = 	 TAP2010addr,
  month = 	 TAP2010date,
}


@InProceedings{NguyenKWF2012,
  author = 	 "Nguyen, ThanhVu and Kapur, Deepak and Weimer, Westley and Forrest, Stephanie",
  title = 	 "Using dynamic analysis to discover polynomial and array invariants",
  booktitle = ICSE2012,
  year = 	 2012,
  pages = 	 "683--693",
  month = 	 ICSE2012date,
  address = 	 ICSE2012addr,
}




%%%
%%% Assertion checking
%%%

@Article{IEEETSE::Rosenblum1995,
  title =        "A Practical Approach to Programming With Assertions",
  author =       "David S. Rosenblum",
  journal =      TSE,
  pages =        "19--31",
  month =        jan,
  year =         "1995",
  volume =       "21",
  number =       "1",
}



@TechReport{ncstrl.ucsb_cs//TRCS98-31,
  type =         "Technical Report",
  number =       "TRCS98-31",
  institution =  "University of California, Santa Barbara",
  title =        "{jContractor}: A Reflective {Java} Library to Support
                 Design by Contract",
  month =        jan # "~19,",
  year =         "1999",
  bibdate =      "February 3, 1999",
  url =          "ftp://ftp.cs.ucsb.edu/pub/techreports/TRCS98-31.ps",
  author =       "Murat Karaorman and Urs Holzle and John Bruno",
  abstract =     "jContractor is a purely library and design-pattern
                 based approach to support Design By Contract
                 specifications such as preconditions, postconditions,
                 class invariants, and recovery and exception handling
                 in Java. jContractor uses an intuitive naming
                 convention, and standard Java syntax to instrument Java
                 classes and enforce Design By Contract constructs. The
                 designer of a class specifies a contract by defining
                 protected methods which conform to the jContractor
                 design patterns. jContractor uses Java Reflection to
                 synthesize an instrumented version of a Java class
                 containing jContractor contract specifications. The
                 instrumented version contains code which enforces the
                 Design By Contract specifications. Programmers enable
                 the run-time enforcement of contracts by either
                 incorporating the jContractor class loader or by
                 instantiating objects directly from the
                 instrumented subclass through the jContractor
                 factory. Programmers can use exactly the same syntax
                 for invoking methods and passing object references
                 regardless of whether contracts are present or not.
                 Since jContractor is purely library-based, it works
                 with any Java implementation and requires no special
                 tools such as modified compilers, modified JVMs, or
                 pre-processors.",
}

@InProceedings{KaraormanHB99,
  author = 	 "Murat Karaorman and Urs Holzle and John Bruno",
  title = 	 "{jContractor}: A Reflective {Java} Library to Support
                 Design by Contract",
  booktitle = 	 "Reflection'99:  The Second International Conference on Meta-Level Architectures and Reflection",
  pages = 	 "175--196",
  year =	 1999,
  address =	 "Saint Malo, France",
  month =	 jul # "~19--21,"
}



@InProceedings{Peters1994,
  author =       "Dennis Peters",
  title =        "Generating a Test Oracle from Program Documentation",
  pages =        "58--65",
  booktitle =    "Proceedings of the 1994 International Symposium on
                 Software Testing and Analysis (ISSTA): August 17--19,
                 1994, Seattle, WA, USA",
  editor =       "Thomas Ostrand",
  publisher =    "ACM Press",
  address =      "New York, NY 10036, USA",
  year =         "1994",
  coden =        "SFENDP",
  ISBN =         "0-89791-683-2",
  ISSN =         "0163-5948",
  LCCN =         "QA76.76.T48 I58 1994",
  bibdate =      "Sun Dec 22 10:18:08 MST 1996",
  series =       "ACM Sigsoft",
  issue =        "spec. issue. p. 216-227",
}


@inproceedings{186508,
 author = {Dennis Peters and David L. Parnas},
 title = {Generating a test oracle from program documentation: work in progress},
 booktitle = {Proceedings of the 1994 ACM SIGSOFT international symposium on Software testing and analysis},
 year = {1994},
 ISBN = {0-89791-683-2},
 pages = {58--65},
 location = {},
 doi = {http://doi.acm.org/10.1145/186258.186508},
 publisher = {ACM Press},
 }


@InProceedings{PetersP94,
  author = 	 "Dennis Peters and David L. Parnas",
  title = 	 "Generating a test oracle from program documentation",
  booktitle = 	 ISSTA94,
  pages = 	 "58--65",
  year = 	 1994,
  address =	 ISSTA94addr,
  month = 	 ISSTA94date,
  abstract =     "A fundamental assumption of software testing is that
		  there is some mechanism, an oracle, that will determine
		  whether or not the results of a test execution are
		  correct. In practice this is often done by comparing the
		  output, either automatically or manually, to some
		  pre-calculated, presumably correct, output [17]. However,
		  if the program is formally documented it is possible to
		  use the specification to determine the success or failure
		  of a test execution, as in [1], for example. This paper
		  discusses ongoing work to produce a tool that will
		  generate a test oracle from formal program documentation.
                  \par
                  In [9], [10] and [11] Parnas et al. advocate the use of a
                  relational model for documenting the intended behaviour
                  of programs. In this method, tabular expressions are used
                  to improve readability so that formal documentation can
                  replace conventional documentation. Relations are
                  described by giving their characteristic predicate in
                  terms of the values of concrete program variables. This
                  documentation method has the advantage that the
                  characteristic predicate can be used as the test oracle
                  -- it simply must be evaluated for each test execution
                  (input & output) to assign pass or fail. In contrast to
                  [1], this paper discusses the testing of individual
                  programs, not objects as used in [1]. Consequently, the
                  method works with program documentation, written in terms
                  of the concrete variables, and no representation function
                  need be supplied. Documentation in this form, and the
                  corresponding oracle, are illustrated by an example.
                  \par
                  Finally, some of the implications of generating
                  test oracles from relational specifications are discussed."
}







@InProceedings{ShankarB2007,
  author = 	 "Ajeet Shankar and Rastislav Bod{\'\i}k",
  authorASCII =  "Rastislav Bodik",
  title = 	 "Ditto: Automatic incrementalization of data structure invariant checks (in {Java})",
  booktitle =    PLDI2007,
  pages = 	 "310--319",
  year = 	 2007,
  address = 	 PLDI2007addr,
  month = 	 PLDI2007date,
  abstract =
   "We present Ditto, an automatic incrementalizer for dynamic,
    side-effect-free data structure invariant checks. Incrementalization speeds
    up the execution of a check by reusing its previous executions, checking
    the invariant anew only on the changed parts of the data structure. Ditto
    exploits properties specific to the domain of invariant checks to automate
    and simplify the process without restricting what mutations the program can
    perform. Our incrementalizer works for modern imperative languages such as
    Java and C#. It can incrementalize, for example, verification of red-black
    tree properties and the consistency of the hash code in a hash table
    bucket. Our source-to-source implementation for Java is automatic,
    portable, and efficient. Ditto provides speedups on data structures with as
    few as 100 elements; on larger data structures, its speedups are
    characteristic of non-automatic incrementalizers: roughly 5-fold at 5,000
    elements, and growing linearly with data structure size.",
}






@InProceedings{ZeeKTR2007,
  author = 	 "Karen Zee and Viktor Kuncak and Michael Taylor and Martin Rinard",
  title = 	 "Runtime checking for program verification",
  booktitle = RV2007,
  pages = 	 "202--213",
  year = 	 2007,
  address = 	 RV2007addr,
  month = 	 RV2007date,
  abstract =
   "The process of verifying that a program conforms to its specification is
    often hampered by errors in both the program and the specification. A
    runtime checker that can evaluate formal specifications can be useful for
    quickly identifying such errors. This paper describes our preliminary
    experience with incorporating run-time checking into the Jahob verification
    system and discusses some lessons we learned in this process. One of the
    challenges in building a runtime checker for a program verification system
    is that the language of invariants and assertions is designed for
    simplicity of semantics and tractability of proofs, and not for run-time
    checking. Some of the more challenging constructs include existential and
    universal quantification, set comprehension, specification variables, and
    formulas that refer to past program states. In this paper, we describe how
    we handle these constructs in our runtime checker, and describe directions
    for future work.",
}





%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Applications and test inputs
%%%



@InProceedings{HarroldRWY98,
  author = 	 "Mary Jean Harrold and Gregg Rothermel and Rui Wu and Liu Yi",
  title = 	 "An Empirical Investigation of Program Spectra",
  booktitle = 	 PASTE98,
  pages =	 "83--90",
  year =	 1998,
  address =	 PASTE98addr,
  month =	 PASTE98date
}


@Article{HarroldRSWY2000,
  author = 	 "Mary Jean Harrold and Gregg Rothermel and Kent Sayre and
                  Rui Wu and Liu Yi",
  title = 	 "An Empirical Investigation of the Relationship Between
                  Spectra Differences and Regression Faults",
  journal = 	 "Software Testing, Verification, and Reliability",
  year = 	 2000,
  volume =	 10,
  number =	 3,
  pages =	 "171--194",
  month =	 sep
}


@Article{RothermelH98,
  author = 	 "Gregg Rothermel and Mary Jean Harrold",
  title = 	 "Empirical studies of a safe regression test selection technique",
  journal = 	 IEEETSE,
  year = 	 1998,
  volume =	 24,
  number =	 6,
  pages =	 "401--419",
  month =	 jun
}



@TechReport{RothermelH97,
  author = 	 "Gregg Rothermel and Mary Jean Harrold",
  title = 	 "Empirical Studies of a Safe Regression Test Selection Technique",
  institution =  "Oregon State University",
  year = 	 1997,
  number =	 "97-60-13",
  note =	 "To appear in IEEE Transactions on Software Engineering"
}


@InProceedings{HutchinsFGOS94,
  author = 	 "Monica Hutchins and Herb Foster and Tarak Goradia and
		  Thomas Ostrand",
  title = 	 "Experiments on the effectiveness of dataflow- and
		  controlflow-based test adequacy criteria",
  booktitle = 	 ICSE94,
  pages =	 "191--200",
  year =	 1994,
  address =	 ICSE94addr,
  month =	 ICSE94date
}




@Book{WeissDSAAJ99,
  author =	 "Mark Allen Weiss",
  title = 	 "Data Structures and Algorithm Analysis in {Java}",
  publisher = 	 "Addison Wesley Longman",
  year = 	 1999
}



@Misc{6.170:spring2001,
  author =	 "{MIT Dept.\ of EECS}",
  title =	 "6.170: Laboratory in Software Engineering",
  howpublished = "\url{http://www.mit.edu/~6.170/}",
  month =	 "Spring",
  year =	 2001,
  OPTnote = 	 "",
  OPTannote = 	 ""
}

@Misc{6.897:spring2001,
  author =	 "{MIT Dept.\ of EECS}",
  title =	 "6.897: Modeling and Analyzing Really Complicated Systems,
		  Using State Machines",
  howpublished = "\url{http://theory.csail.mit.edu/classes/6.897/}",
  month =	 "Spring",
  year =	 2001,
  OPTnote = 	 "",
  OPTannote = 	 ""
}

@Misc{Blackdown:JDK1.1.8,
  author =	 "{Blackdown project}",
  title =	 "Java {D}evelopment {K}it ({JDK}) version 1.1.8 for {L}inux",
  howpublished = "\url{http://www.blackdown.org/}",
  year =         2000,
}


@Book{Flanagan97,
  author =	 "David Flanagan",
  title = 	 "Java Examples in a Nutshell:  A Tutorial Companion to Java in a Nutshell",
  publisher = 	 "O'Reilly and Associates",
  year = 	 1997,
  address =	 "Sebastopol, CA",
  month =	 sep
}

@Book{Flanagan99,
  author =	 "David Flanagan",
  title = 	 "Java in a Nutshell: A Desktop Quick Reference",
  publisher = 	 "O'Reilly and Associates",
  year = 	 1999,
  address =	 "Sebastopol, CA",
  edition = 	 "3rd",
  month =	 sep
}



@Misc{BennettLMRRHR99,
  author =	 "Brian Bennett and Avraham Leff and Thomas A. Mikalsen
                  and James T. Rayfield and Isabelle Rouvellou
                  and Bill Hahm and Kevin Rasmus",
  title =	 "An {OO} Framework and Implementation for Long Running Business Processes",
  year =	 1999
}




@Misc{Cockrell503,
  author =	 "Jake Cockrell",
  title =	 "Applying Type Inference in the process of Dynamically
		  Detecting likely program invariants",
  month =	 mar,
  year =	 1999,
  note =	 "\url{http://homes.cs.washington.edu/~jake/work/class/inv_infer.html}"
}


@Misc{CockrellQuals,
  author =	 "Jake Cockrell",
  title =	 "Producing execution traces for dynamic invariant detection",
  month =	 may,
  year =	 1999,
  OLDnote =	 "\url{http://homes.cs.washington.edu/~jake/work/quals-final.ps}"
}


@Misc{Thaung99,
  author =	 "Aung Thaung",
  title =	 "The Relationship Between Program Invariants and Software Failures",
  month =	 mar,
  year =	 1999,
  note =	 "\url{http://homes.cs.washington.edu/~aung/503/503.htm}"
}


@InProceedings{JacksonW99,
  author = 	 "Daniel Jackson and Allison Waingold",
  title = 	 "Lightweight extraction of object models from bytecode",
  booktitle = 	 ICSE99,
  pages =	 "194--202",
  year =	 1999,
  address =	 ICSE99addr,
  month =	 ICSE99date,
  abstract =
   "A program's object model captures the essence of its design. For
    some programs, no object model was developed during design; for others, an
    object model exists but may be out-of-sync with the code.  This paper
    describes a tool that automatically extracts an object model from the
    classfiles of a Java program. Although the tool performs only a simple,
    heuristic analysis that is al-most entirely local, the resulting object
    model is surprisingly accurate.  The paper explains the form of the object
    model, the assumptions upon which the analysis is based, and its
    limitations, and evaluates the tool on a suite of sample programs."
}



@Misc{Mauve,
  key = 	 "Mauve",
  OPTauthor = 	 "",
  title = 	 "Mauve test suite for the {Java} class libraries",
  howpublished = "\url{http://sourceware.cygnus.com/mauve/}",
  OPTmonth = 	 "",
  OPTyear = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}








@Book{Morgan94,
  key =          "Morgan",
  author =       "Carroll Morgan",
  title =        "Programming from Specifications: Second Edition",
  publisher =    "Prentice Hall International",
  address =      "Hempstead, UK",
  year =         "1998",
  url =		 "http://web.comlab.ox.ac.uk/oucl/publications/books/PfS/",
  annote =       "44 references.",
}




@InProceedings{AraragiK00,
  author = 	 "Tadashi Araragi and Kiyoshi Kogure",
  title = 	 "Dynamic Downloading of Communications Protocols Using a
		  Logic Based Agent System",
  booktitle = 	 "CLIMA00: The Workshop on Computational Logic in
		  Multi-Agent Systems",
  pages =	 "27--34",
  year = 	 2000,
  address = 	 "London, UK",
  month = 	 jul # "~24--25,",
  abstract =     "In this paper, we present a framework for dynamically
		  downloading communications protocols, which enables
		  interoperability between independently devolved agents.
		  For this framework, we introduce generic communications
		  protocol programs (GCP programs) and communication
		  profiles.  We also present a logic-based agent system
		  (Erdos) and show that the implementation of the framework
		  is easily achieved by using this system.  Finally, we
		  discuss a verification method for GCP programs cuing the
		  CTL model checking facility of Erdos."
}






@InProceedings{DemskyR2003,
  author = 	 "Brian Demsky and Martin Rinard",
  title = 	 "Automatic detection and repair of errors in data structures",
  booktitle =	 OOPSLA2003,
  pages =	 "78--95",
  year =	 2003,
  address =	 OOPSLA2003addr,
  month =	 OOPSLA2003date,
  abstract =
   "We present a system that accepts a specification of key data structure
    consistency constraints, then dynamically detects and repairs violations of
    these constraints, enabling the program to continue to execute productively
    even in the face of otherwise crippling errors. Our experience using our
    system indicates that the specifications are relatively easy to develop
    once one understands the data structures. Furthermore, for our set of
    benchmark applications, our system can effectively repair inconsistent data
    structures and enable the program to continue to operate successfully.",
}


@InProceedings{DemskyR2005,
  author = 	 "Brian Demsky and Martin Rinard",
  title = 	 "Data structure repair using goal-directed reasoning",
  booktitle =	 ICSE2005,
  pages =	 "176--185",
  year =	 2005,
  address =	 ICSE2005addr,
  month =	 ICSE2005date,
  abstract =
   "Data structure repair is a promising technique for enabling programs to
    execute successfully in the presence of otherwise fatal data structure
    corruption errors. Previous research in this field relied on the developer
    to write a specification to explicitly translate model repairs into
    concrete data structure repairs, raising the possibility of 1) incorrect
    translations causing the supposedly repaired concrete data structures to be
    inconsistent, and 2) repaired models with no corresponding concrete data
    structure representation.We present a new repair algorithm that uses
    goal-directed reasoning to automatically translate model repairs into
    concrete data structure repairs. This new repair algorithm eliminates the
    possibility of incorrect translations and repaired models with no
    corresponding representation as concrete data structures.",
}


%%%
%%% Security
%%%

@InProceedings{Ko2000,
  author = 	 "Calvin Ko",
  title = 	 "Logic Induction of Valid Behavior Specifications for
                  Intrusion Detection",
  booktitle =	 "IEEE Symposium on Security and Privacy",
  pages =	 "142--153",
  year =	 2000,
  MAYBEaddress =	 "Berkeley, California",
  month =	 may # "~14--17,",
  abstract =
   "This paper introduces an automated technique for constructing valid
    behavior specifications of programs (at the system call level) that are
    independent of system vulnerabilities and are highly effective in
    identifying intrusions. The technique employs a machine learning method,
    Inductive Logic Programming (ILP), for synthesizing first order logic
    formulas that describe the valid operations of a program from the normal
    runs of the program. ILP, backed by theories and techniques extended from
    computational logic, allows the use of complex domain-specific background
    knowledge in the learning process to produce sound and consistent
    knowledge. A specification induction engine has been developed by extending
    an existing ILP tool and has been used to construct specifications for
    several (> 10) privileged programs in Unix. Coupling with rich background
    knowledge in systems and security, the prototype induction engine generates
    human understandable and analyzable specifications that are as good as
    those specified by a human. Preliminary experiments with existing attacks
    show that the generated specifications are highly effective in detecting
    attacks that subvert privileged programs to gain unauthorized accesses to
    resources."
}



@InProceedings{GiffinJM02,
  author = 	 "Jonathon T. Giffin and Somesh Jha and Barton P. Miller",
  title = 	 "Detecting Manipulated Remote Call Streams",
  booktitle =	 "USENIX Security Symposium 2002 (Security '02)",
  pages =	 "61--79",
  year =	 2002,
  address =	 "San Francisco",
  month =	 aug # "~5--9,",
  abstract =
   "In the Internet, mobile code is ubiquitous and includes such examples as
    browser plug-ins, Java applets, and document macros. In this paper, we
    address an important vulnerability in mobile code security that exists in
    remote execution systems such as Condor, Globus, and SETI{\atsign}Home.
    These systems schedule user jobs for execution on remote idle machines.
    However, they send most of their important system calls back to the local
    machine for execution. Hence, an evil process on the remote machine can
    manipulate a user's job to send destructive system calls back to the local
    machine. We have developed techniques to remotely detect such manipulation.
    \par
    Before the job is submitted for remote execution, we construct a model of
    the user's binary program using static analysis. This binary analysis is
    applicable to commodity remote execution systems and applications. During
    remote job execution, the model checks all system calls arriving at the
    local machine. Execution is only allowed to continue while the model
    remains valid. We begin with a finite-state machine model that accepts
    sequences of system calls and then build optimizations into the model to
    improve its precision and efficiency. We also propose two program
    transformations, renaming and null call insertion, that have a significant
    impact on the precision and efficiency. As a desirable side-effect, these
    techniques also obfuscate the program, thus making it harder for the
    adversary to reverse engineer the code. We have implemented a simulated
    remote execution environment to demonstrate how optimizations and
    transformations of the binary program increase the precision and
    efficiency. In our test programs, unoptimized models increase run-time by
    0.5\% or less. At moderate levels of optimization, run-time increases by
    less than 13\% with precision gains reaching 74\%."
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Miscellaneous
%%%

@InProceedings{SOSP97*27,
  author =       "Stefan Savage and Michael Burrows and Greg Nelson and
                 Patrick Sobalvarro and Thomas Anderson",
  title =        "Eraser: {A} Dynamic Data Race Detector for
                 Multi-Threaded Programs",
  pages =        "27--37",
  booktitle =    SOSP97,
  month =        SOSP93date,
  year =         1997,
  address =      SOSP97addr,
}



@InProceedings{JohnsonSch96,
  author =       "Richard Johnson and Michael Schlansker",
  title =        "Analysis Techniques for Predicated Code",
  booktitle =    "Proceedings of the 29th Annual International Symposium
                 on Microarchitecture",
  address =      "Paris, France",
  organization = "IEEE Computer Society TC-MICRO and ACM SIGMICRO",
  month =        dec # " 2--4,",
  year =         "1996",
  pages =        "100--113",
}
@Book{Park91,
  author =       "J. C. H. Park and M. S. Schlansker",
  title =        "On predicated execution",
  publisher =    "Hewlett Packard Laboratories",
  year =         "1991",
}

@InProceedings{RepsBDL97,
  author =       "Thomas Reps and Thomas Ball and Manuvir Das and James Larus",
  title =        "The Use of Program Profiling for Software Maintenance
                 with Applications to the Year 2000 Problem",
  booktitle =    FSE97,
  year =         1997,
  pages =        "432--449",
  address =	 FSE97addr,
  month =	 FSE97date,
  abstract =
   "This paper describes new techniques to help with testing and debugging,
    using information obtained from path profiling. A path profiler instruments
    a program so that the number of times each different loop-free path
    executes is accumulated during an execution run. With such an instrumented
    program, each run of the program generates a path spectrum for the
    execution --- a distribution of the paths that were executed during that
    run. A path spectrum is a finite, easily obtainable characterization of a
    program's execution on a dataset, and provides a behavior signature for a
    run of the program.
    \par
	Our techniques are based on the idea of comparing path spectra from
    different runs of the program. When different runs produce different
    spectra, the spectral differences can be used to identify paths in the
    program along which control diverges in the two runs. By choosing input
    datasets to hold all factors constant except one, the divergence can be
    attributed to this factor. The point of divergence itself may not be the
    cause of the underlying problem, but provides a starting place for a
    programmer to begin his exploration.
    \par
	One application of this technique is in the ``Year 2000 Problem''
    (i.e., the problem of fixing computer systems that use only 2-digit year
    fields in date-valued data). In this context, path-spectrum comparison
    provides a heuristic for identifying paths in a program that are good
    candidates for being date-dependent computations. The application of
    path-spectrum comparison to a number of other software-maintenance issues
    is also discussed.
    \par
	Key Words and Phrases: Path profiling, path-spectrum comparison,
    testing, debugging, year 2000 problem, date-dependent computations,
    self-monitoring programs."
}


@InProceedings{LukoitWSH2000,
  author = 	 "Kazimiras Lukoit and Norman Wilde and Scott Stowell and
                  Tim Hennessey",
  title = 	 "{TraceGraph}: Immediate visual location of software features",
  booktitle =	 ICSM2000,
  pages =	 "33--39",
  year =	 2000,
  address =	 ICSM2000addr,
  month =	 ICSM2000date,
  abstract =
   "Software engineers often need to locate where particular features of a
    program are implemented in order to fix a bug or introduce an
    enhancement. This paper describes a tool called TraceGraph to support this
    task, particularly for large, long-running or interactive
    software. TraceGraph provides a simple visual display of the program's
    trace, which allows changes in execution to be easily distinguished. A
    software engineer can run the feature he or she is interested in, and
    immediately view how program execution varies. Case studies on two large
    systems show how TraceGraph may be applied to different kinds of
    traces. Displays similar to TraceGraph would be good candidates for
    inclusion in software monitoring or debugging systems."
}


@Manual{PythonReferenceManual,
  title = 	 "Python Reference Manual",
  author =	 "Guido {van Rossum}",
  edition =	 "Release 1.5",
  month =	 dec # "~31,",
  year =	 1997,
  howpublished = 	 "{\tt http://www.python.org/doc/}",
  URL =		 "http://www.python.org/doc/"
}


@Manual{PythonLibraryReference,
  title = 	 "Python Library Reference",
  author =	 "Guido {van Rossum}",
  edition =	 "Release 1.5",
  month =	 feb # "~17,",
  year =	 1997,
  note = 	 "\url{http://www.python.org/doc/}",
}


@Manual{EDG-manual,
  title = 	 "C++ Front End Internal Documentation",
  key = 	 "EDG",
  organization = "Edison Design Group",
  edition =	 "Version 2.28",
  month =	 mar,
  year =	 1995,
  note =	 "http://www.edg.com"
}



@InProceedings{Romer:1997:IOW,
  author =       "Ted Romer and Geoff Voelker and Dennis Lee and Alec
                 Wolman and Wayne Wong and Hank Levy and Brian Bershad
                 and J. Bradley Chen",
  title =        "Instrumentation and Optimization of {Win32\slash
                 Intel} Executables Using {E}tch",
  EXTRAeditor =       "{USENIX}",
  booktitle =    "The {USENIX} Windows {NT} Workshop",
  publisher =    "USENIX",
  address =      "Seattle, WA",
  month =        aug # "~11--13,",
  year =         1997,
  ISBN =         "1-880446-88-X",
  EXTRAinstitution =  "University of Washington (authors 1-7)",
  pages =        "1--7",
  bibdate =      "Tue Sep 23 06:19:54 1997",
}

@InProceedings{SrivastavaE94,
  author = 	 "Amitabh Srivastava and Alan Eustace",
  title = 	 "{ATOM} --- A System for Building Customized Program Analysis Tools",
  booktitle = 	 pldi94,
  pages =	 "196--205",
  year =	 1994,
  address =	 pldi94addr,
  month =	 jun
}


@InProceedings{SrivastavaW94,
  author = 	 "Amitabh Srivastava and David W. Wall",
  title = 	 "Link-time optimization of address calculation on a 64-bit
                  architecture",
  booktitle =	 PLDI94,
  pages =	 "29--60",
  year =	 1994,
  address =	 PLDI94addr,
  month =	 PLDI94date
}


@InProceedings{LarusS95,
  author = 	 "James R. Larus and Eric Schnarr",
  title = 	 "{EEL}: Machine-independent executable editing",
  booktitle =	 PLDI95,
  pages =	 "291--300",
  year =	 1995,
  address =	 PLDI95addr,
  month =	 PLDI95date
}


@InProceedings{RomerVLWWLBC97,
  author = 	 "Ted Romer and Geoff Voelker and Dennis Lee and Alec
                  Wolman and Wayne Wong and Hank Levy and Brian Bershad and
                  Brad Chen",
  title = 	 "Instrumentation and optimization of {Win32/Intel} executables using {Etch}",
  booktitle =	 USENIXWinNT97,
  NOpages = 	 "",
  year =	 1997,
  address =	 USENIXWinNT97addr,
  month =	 USENIXWinNT97date
}


@InProceedings{BrueningDA2001,
  author = 	 "Derek Bruening and Evelyn Duesterwald and Saman Amarasinghe",
  title = 	 "Design and implementation of a dynamic optimization
                  framework for {Windows}",
  booktitle =	 FDDO2001,
  NEEDpages = 	 "",
  year =	 2001,
  address =	 FDDO2001addr,
  month =	 FDDO2001date
}


@article{IconHashing,
author = "W. G. Griswold and G. M. Townsend",
title = "The Design and Implementation
        of Dynamic Hashing for Sets and Tables in Icon",
journal = j-SPE,
publisher = "Wiley and Son",
month = Apr,
year = 1993,
abstract =    "Two key features in the Icon programming language are tables
               and sets. An Icon program may use one large set or table, or
               thousands of small ones.  To Improve space and time performance
               for these diverse uses, their hashed data structures were
               reimplemented to dynamically resize during execution, reducing
               the minimum space requirement and achieving constant-time
               access to any element for virtually any size set or table. The
               implementation is adapted from Per-AAke Larson's dynamic
               hashing technique by using well-known base-2 arithmetic
               techniques to decrease the space required for small tables
               without degrading the performance of large tables.  Also
               presented are techniques to prevent dynamic hashing from
               interfering with other Icon language features.  Performance
               measurements are included to support the results."
}


@book{designpatterns,
  title="Design Patterns",
  author="Erich Gamma and Richard Helm and Ralph E. Johnson and John Vlissides",
  publisher="Addison-Wesley",
  address="Reading, MA",
  year=1995
}


@Article{IEEETSE::KnightL1986,
  title =        "An Experimental Evaluation of the Assumption of
                 Independence in Multiversion Programming",
  author =       "John C. Knight and Nancy G. Leveson",
  journal =      TSE,
  pages =        "96--109",
  month =        jan,
  year =         "1986",
  volume =       "12",
  number =       "1",
}


@Article{LevesonCKS90,
  author =       "Nancy G. Leveson and Stephen S. Cha and John C. Knight
                 and Timothy J. Shimeall",
  title =        "The Use of Self Checks and Voting in Software Error
                 Detection: An Empirical Study",
  journal =      TSE,
  volume =       "16",
  number =       "4",
  month =        apr,
  pages =        "432--443",
  year =         "1990",
  abstract =     "This paper presents the results of an empirical study
                 of software error detection using self checks and
                 N-version voting. A total of 24 graduate students in
                 computer science at the University of Virginia and the
                 University of California, Irvine, were hired as
                 programmers. Working independently, each first prepared
                 a set of self checks to an existing implementation of
                 that specification. The modified programs were executed
                 to measure the error-detection performance of the
                 checks and to compare this with error detection using
                 simple voting among multiple versions. The goal of this
                 study was to learn more about the effectiveness of such
                 checks. The analysis of the checks revealed that there
                 are great differences in the ability of individual
                 programmers to design effective checks. We found that
                 some checks which might have been effective failed to
                 detect an error because they were badly placed, and
                 there were numerous instances of checks signaling
                 nonexistent errors. In general, specification-based
                 checks alone were not as effective as combining them
                 with code-based checks. Using self checks, faults were
                 identified that had not been detected previously by
                 voting 28 versions of the program over a million
                 randomly-generated inputs. This appeared to result from
                 the fact that the self checks could examine the
                 internal state of the executing program whereas voting
                 examines only the final results of computations. If
                 internal states had to be consistent in N-version
                 voting systems, then there would be no reason to write
                 multiple versions. The programs were executed on 100,000
                 new randomly-generated input cases in order to
                 compare error detection by self checks and by 2-version
                 and 3-version voting. Both self checks and voting
                 techniques led to the identification of the same number
                 of faults for this input, although the identified
                 faults were not the same. Furthermore, whereas the self
                 checks were always effective at detecting an error
                 caused by a particular fault (if they ever did),
                 N-version voting triples and pairs were only partially
                 effective at detecting the failures caused by
                 particular faults. Finally, checking the internal state
                 with self checks also resulted in finding faults that
                 did not cause failures for the particular input case
                 executed. This has important implications for the use
                 of back-to-back testing.",
}





@Article{ShimeallL91,
  author = 	 "Timothy J. Shimeall and Nancy G. Leveson",
  title = 	 "An Empirical Comparison of Software Fault Tolerance and
                  Fault Elimination",
  journal = 	 TSE,
  year = 	 1991,
  volume =	 17,
  number =	 2,
  pages =	 "173--182",
  month =	 feb
}






@mastersthesis{RWMJones:95,
        author = "Richard W. M. Jones",
        title = "A Strategy for Finding the Optimal Data Placement for
		 Regular Programs",
        school = "Department of Computing, Imperial College",
        year = 1996,
}



@InProceedings{DZS97,
  author =       "Robert DeLine and Gregory Zelesnik and Mary Shaw",
  title =        "Lessons on Converting Batch Systems to Support Interaction",
  booktitle =    ICSE97,
  year =         "1997",
  address =      ICSE97addr,
  month =        ICSE97date,
  pages =        "195--204",
  keyword =      "sw architectures, architectural language, UNICON",
}





@InProceedings{BiddleMMWT99,
  author = 	 "Robert Biddle and Stuart Marshall and John Miller-Williams and Ewan Tempero",
  title = 	 "Reuse of debuggers for visualization of reuse",
  booktitle =	 SSR99,
  pages = 	 "92--100",
  year =	 1999,
  address =	 SSR99addr,
  month =	 SSR99date
}


@TechReport{BiddleMMWT98,
  author = 	 "Robert Biddle and Stuart Marshall and John Miller-Williams and Ewan Tempero",
  title = 	 "Reuse of debuggers for visualization of reuse",
  institution =  "Victoria University of Wellington, School of Mathematical
		  and Computing Sciences",
  year = 	 1998,
  number =	 "CS-TR-98/10",
  address =	 "Wellington, New Zealand",
  month =	 nov,
  supersededby = "BiddleMMWT99",
}



@TechReport{MillerWilliamsBT98,
  author = 	 "John Miller-Williams and Robert Biddle and Ewan Tempero",
  title = 	 "Rapid Implementation of a Program Visualisation System",
  institution =  "Victoria University of Wellington",
  year = 	 1998,
  number = 	 "CS-TR-98-2",
  address = 	 "Wellington, New Zealand",
  abstract =
   "This paper documents the rapid implementation of a system for
    visualisation of the execution of C++ programs on a Unix system.  The
    system was to produce dynamic diagrams representing data and control
    structures so as to assist programmers determine reusable components
    within the program. Such a system would normally involve a considerable
    amount of low-level and high-level programming, but we avoided much of
    thus by extensive use of several programming tools.
    \par
      We first used the Gnu C++ debugger Gdb, which allows interactive
    control of C++ program execution, and retrieval of textual information
    about the program. We then used Expect, a system that allows automatic
    control of a text interface of a program, to retrieve information about
    the C++ program using Gdb. In conjunction with Expect, we used the
    scripting language Tcl and user interface toolkit Tk to analyse the
    information, draw diagrams, and provide user control.
    \par
      The end result was a successful program visualisation system produced
    in a fraction of the time that would otherwise have been necessary. While
    program visualisation is a relatively specialised application, all this
    technology would be similarly useful for many other applications."
}


@Article{AmmannK1988,
  author = 	 "Paul E. Ammann and John C. Knight",
  title = 	 "Data Diversity: An Approach to Software Fault Tolerance",
  journal = 	 "IEEE Trans. Comput.",
  year = 	 1988,
  volume =	 37,
  number =	 4,
  pages =	 "418--425",
  month =	 apr,
  abstract =
   "Data diversity is described, and the results of a pilot study are
    presented. The regions of the input space that cause failure for certain
    experimental programs are discussed, and data reexpression, the way in
    which alternate input data sets can be obtained, is examined. A description
    is given of the retry block which is the data-diverse equivalent of the
    recovery block, and a model of the retry block, together with some
    empirical results is presented. N-copy programming which is the
    data-diverse equivalent of N-version programming is considered, and a
    simple model and some empirical results are also given.",
}



@Article{Wasserman:1997:SRR,
  author =       "Hal Wasserman and Manuel Blum",
  title =        "Software reliability via run-time result-checking",
  journal =      "Journal of the ACM",
  volume =       "44",
  number =       "6",
  pages =        "826--849",
  month =        nov,
  year =         "1997",
  coden =        "JACOAH",
  ISSN =         "0004-5411",
  bibdate =      "Fri Feb 13 15:58:32 MST 1998",
  url =          "http://www.acm.org:80/pubs/citations/journals/jacm/1997-44-6/p826-wasserman/",
  abstract =     "We review the field of result-checking, discussing
                 simple checkers and self-correctors. We argue that such
                 checkers could profitably be incorporated in software
                 as an aid to efficient debugging and enhanced
                 reliability. We consider how to modify traditional
                 checking methodologies to make them more appropriate
                 for use in real-time, real-number computer systems. In
                 particular, we suggest that checkers should be allowed
                 to use stored randomness: that is, that they should be
                 allowed to generate, preprocess, and store random bits
                 prior to run-time, and then to use this information
                 repeatedly in a series of run-time checks. In a case
                 study of checking a general real-number linear
                 transformation (e.g., a Fourier Transform), we present
                 a simple checker which uses stored randomness, and a
                 self-corrector which is particularly efficient if
                 stored randomness is employed.",
  keywords =     "algorithms; reliability; verification",
  subject =      "{\bf D.2.5} Software, SOFTWARE ENGINEERING, Testing
                 and Debugging. {\bf F.2.1} Theory of Computation,
                 ANALYSIS OF ALGORITHMS AND PROBLEM COMPLEXITY,
                 Numerical Algorithms and Problems, Computation of
                 transforms. {\bf F.3.1} Theory of Computation, LOGICS
                 AND MEANINGS OF PROGRAMS, Specifying and Verifying and
                 Reasoning about Programs.",
}


@InProceedings{issta93*1,
  author =       "Manuel Blum",
  title =        "Designing Programs to Check Their Work",
  pages =        1,
  ISBN =         "0-89791-608-5",
  editor =       "Thomas Ostrand and Elaine Weyuker",
  booktitle =    ISSTA93,
  month =        jun,
  year =         1993,
}




@Article{Blum:1995:DPC,
  author =       "Manuel Blum and Sampath Kannan",
  title =        "Designing Programs that Check Their Work",
  journal =      "Journal of the Association for Computing Machinery",
  volume =       42,
  number =       1,
  pages =        "269--291",
  month =        jan,
  year =         1995,
  coden =        "JACOAH",
  ISSN =         "0004-5411",
  bibdate =      "Mon May 15 21:04:34 1995",
  url =          "http://www.acm.org/pubs/toc/Abstracts/0004-5411/200880.html",
  abstract =     "A {\em program correctness checker\/} is an algorithm
                 for checking the output of a computation. That is,
                 given a program and an instance on which the program is
                 run, the checker certifies whether the output of the
                 program on that instance is correct. This paper defines
                 the concept of a program checker. It designs program
                 checkers for a few specific and carefully chosen
                 problems in the class FP of functions computable in
                 polynomial time. Problems in FP for which checkers are
                 presented in this paper include Sorting, Matrix Rank
                 and GCD. It also applies methods of modern
                 cryptography, especially the idea of a probabilistic
                 interactive proof, to the design of program checkers
                 for group theoretic computations.\par Two structural
                 theorems are proven here. One is a characterization of
                 problems that can be checked. The other theorem
                 establishes equivalence classes of problems such that
                 whenever one problem in a class is checkable, all
                 problems in the class are checkable.",
  keywords =     "algorithms; design; reliability; theory;
                 verification",
  subject =      "{\bf D.2.4}: Software, SOFTWARE ENGINEERING, Program
                 Verification, Correctness proofs. {\bf D.2.4}:
                 Software, SOFTWARE ENGINEERING, Program Verification,
                 Reliability. {\bf F.2.0}: Theory of Computation,
                 ANALYSIS OF ALGORITHMS AND PROBLEM COMPLEXITY, General.
                 {\bf F.3.1}: Theory of Computation, LOGICS AND MEANINGS
                 OF PROGRAMS, Specifying and Verifying and Reasoning
                 about Programs. {\bf G.3}: Mathematics of Computing,
                 PROBABILITY AND STATISTICS, Probabilistic algorithms
                 (including Monte Carlo).",
}


@Book{Lovasz86,
  author =	 "L\'aszl\'o Lov\'asz",
  title = 	 "An Algorithmic Theory of Numbers, Graphs and Convexity",
  publisher = 	 "Society for Industrial and Applied Mathematics",
  year = 	 1986,
  address =	 "Philadelphia, PA"
}






@InProceedings{HindPioliSAS,
  author = 	 "Michael Hind and Anthony Pioli",
  title = 	 "Assessing the Effects of Flow-Sensitivity on Pointer
		  Alias Analyses",
  booktitle = 	 "5th International Symposium on Program Analysis, SAS'98",
  pages =	 "57--81",
  year =	 1998,
  month =	 sep
}


@inproceedings{HorwitzPointers,
author = "Marc Shapiro and Susan Horwitz",
title = "The Effects of Precision on Pointer Analysis",
booktitle = SAS97,
pages = "16--34",
address = SAS97addr,
year = 1997,
month = SAS97date
}

@phdthesis{AndersenPhD,
author = "Lars Ole Andersen",
title = "Program Analysis and Specialization for the {C} Programming Language",
school = "DIKU, University of Copenhagen",
note = "DIKU report 94/19",
year = 1994,
month = may
}


@InProceedings{ESEC/FSE-99*216,
  author =       "Thomas Ball",
  title =        "The Concept of Dynamic Analysis",
  pages =        "216--234",
  booktitle =    FSE99,
  month =        sep # "~6--10,",
  year =         1999,
}


@Article{Hellerstein:1999:IDA,
  author =       "Joseph M. Hellerstein and Ron Avnur and Andy Chou and
                 Christian Hidber and Chris Olston and Vijayshankar
                 Raman and Tali Roth and Peter J. Haas",
  title =        "Interactive Data Analysis: The Control Project",
  journal =      "IEEE Computer",
  volume =       "32",
  number =       "8",
  pages =        "51--59",
  month =        aug,
  year =         1999,
  coden =        "CPTRB4",
  ISSN =         "0018-9162",
  bibdate =      "Fri Aug 6 07:18:17 MDT 1999",
  url =          "http://www.computer.org/computer/co1999/r8051abs.htm;
                 http://dlib.computer.org/co/books/co1999/pdf/r8051.pdf",
}






@Misc{Larson99,
  author =	 "C. E. Larson",
  title =	 "Intelligent Machinery and Mathematical Discovery",
  howpublished = "\url{http://www.math.uh.edu/~clarson/}",
  month =	 oct # "~1,",
  year =	 1999
}




@InProceedings{Valdes-Perez98,
  author = 	 "Ra{\'u}l E. Vald{\'e}s-P{\'e}rez",
  title = 	 "Why some machines do science well",
  booktitle = 	 "International Congress on Discovery and Creativity",
  OPTcrossref =  "",
  OPTkey = 	 "",
  OPTpages = 	 "",
  year = 	 "1998",
  OPTeditor = 	 "",
  OPTvolume = 	 "",
  OPTnumber = 	 "",
  OPTseries = 	 "",
  address = 	 "Ghent, Belgium",
  OPTmonth = 	 "",
  OPTorganization = "",
  OPTpublisher = "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}








@InCollection{Kleene56,
  author = 	 "S. C. Kleene",
  title = 	 "Representation of events in nerve sets",
  booktitle = 	 "Automata Studies",
  pages =	 "3--40",
  publisher =	 "Princeton University Press",
  year =	 1956,
  editor =	 "Claude E. Shannon and John McCarthy"
}
@InCollection{Kleene:56,
  author =       "S. C. Kleene",
  title =        "Representation of Events in Nerve Nets and Finite
                 Automata",
  editor =       "Claude E. Shannon and John McCarthy",
  booktitle =    "Automata Studies, Annals of Math. Studies 34",
  pages =        "3--40",
  year =         "1956",
  publisher =    "Princeton",
  address =      "New Jersey",
  added =        "1996-03-13-10-09-20",
}



@Misc{Jikes,
  key = 	 "Jikes",
  OPTauthor = 	 "",
  title = 	 "Jikes open-source {Java} compiler",
  howpublished = "\url{http://oss.software.ibm.com/developerworks/opensource/jikes/}",
  OPTmonth = 	 "",
  OPTyear = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}



@Article{1976:tse:mccabe,
  title =        "A Complexity Measure",
  author =       "Thomas J. McCabe",
  pages =        "308--320",
  journal =      TSE,
  ISSN =         "0098-5589",
  year =         1976,
  volume =       "SE-2",
  month =        dec,
  number =       4,
  referencedby = "\cite{1992:tosem:kiper}, \cite{1992:book:sommerville},
                 \cite{1996:th:murphy}, \cite{1997:icse:bruegge},
                 \cite{1998:tse:canfora}, \cite{1998:tse:dutoit},
                 \cite{1998:tse:lederer}, \cite{1999:tse:briand:a}",
  annote =       "incomplete",
}


@Book{LindholmY99,
  author =	 "Tim Lindholm and Frank Yellin",
  title = 	 "The Java Virtual Machine Specification",
  publisher = 	 "Addison-Wesley",
  year = 	 1999,
  address =	 "Reading, MA, USA",
  edition =	 "2nd"
}

@Book{LindholmBBY:JVMS3,
  author =	 "Tim Lindholm and Gilad Bracha and Alex Buckley and Frank Yellin",
  title = 	 "The Java Virtual Machine Specification",
  NOpublisherYET = 	 "Addison-Wesley",
  NOaddressYET =	 "Reading, MA, USA",
  edition =	 "3rd",
}


@Misc{LindholmY99:CFF5,
  author = 	 "Tim Lindholm and Frank Yellin",
  title = 	 "The \texttt{class} File Format",
  howpublished = "\url{http://java.sun.com/docs/books/jvms/second_edition/ClassFileFormat-Java5.pdf}",
  month = 	 dec,
  year = 	 2007,
  note = 	 "Revision to chapter 4 of \cite{LindholmY99} for JDK 1.5.",
}


@Book{LindholmYBB2012,
  author = 	 "Tim Lindholm and Gilad Bracha and Alex Buckley and Frank Yellin",
  title = 	 "The Java Virtual Machine Specification",
  publisher = 	 "Oracle America",
  year = 	 2012,
  edition = 	 "{Java SE 7}",
  month = 	 feb # "~6,",
}

@Book{MeyerD97,
  author =	 "Jon Meyer and Troy Downing",
  title = 	 "Java Virtual Machine",
  publisher = 	 "O'Reilly and Associates",
  year = 	 1997,
  address =	 "Sebastopol, CA"
}


@InProceedings(Chan-CAV97,
  title = "Combining Constraint Solving and Symbolic Model Checking for
           a Class of Systems with Non-Linear Constraints",
  author = "William Chan and Richard Anderson and Paul Beame
            and David Notkin",
  booktitle = "Computer Aided Verification, 9th International Conference,
               CAV'97 Proceedings",
  pages = "316--327",
  month = jun,
  year = 1997,
  editor = "Orna Grumberg",
  address = "Haifa, Israel",
  publisher = "Springer-Verlag",
  series = "Lecture Notes in Computer Science",
  volume = 1254
)


@InProceedings{Chan-CAV2000,
  author = 	 "William Chan",
  title = 	 "Temporal-logic queries",
  booktitle = 	 "Computer Aided Verification, 12th International Conference,
               CAV 2000 Proceedings",
  pages =	 "450--463",
  year =	 2000,
  address =	 "Chicago, IL, USA",
  month =	 jul # "~15--19,"
}


@InProceedings{Das2000,
  author = 	 "Manuvir Das",
  title = 	 "Unification-based pointer analysis with directional assignments",
  booktitle = 	 PLDI2000,
  year =	 2000,
  pages =        "35--46",
  address =	 pldi2000addr,
  month =	 PLDI2000date
}



@Book{Nelson:SPM91,
  editor =       "Greg Nelson",
  title =        "Systems Programming with {Modula-3}",
  publisher =    "Prentice-Hall",
  address =      "Upper Saddle River, NJ, USA",
  numpages =        "ix + 267",
  year =         "1991",
  ISBN =         "0-13-590464-1",
  LCCN =         "QA76.66 .S87 1991",
  bibdate =      "Wed Dec 15 10:40:00 1993",
}


@Book{IB-A925064,
  author =       "Samuel P. Harbison",
  title =        "Modula-3",
  publisher =    "Prentice Hall",
  address =      "Englewood Cliffs",
  year =         "1992",
  descriptor =   "Modula-3, Objektorientierung, Programmiersprache",
  annote =       "Beschreibung der Sprache mit Uebungen",
}


@Book{GoslingJSB2000,
  author =       "James Gosling and Bill Joy and Guy Steele and Gilad Bracha",
  title =        "The Java Language Specification",
  publisher =    "Addison Wesley",
  year =         2000,
  address =	 "Boston, MA",
  edition = 	 "Second",
  ISBN     =     "0-201-63451-1",
}

@Book{GoslingJSB2005,
  author =       "James Gosling and Bill Joy and Guy Steele and Gilad Bracha",
  title =        "The Java Language Specification",
  publisher =    "Addison Wesley",
  year =         2005,
  address =	 "Boston, MA",
  edition = 	 "Third",
}


@Book{GoslingJSBB2011,
  author =       "James Gosling and Bill Joy and Guy Steele and Gilad Bracha and Alex Buckley",
  title =        "The Java Language Specification",
  OMITpublisher =    "Addison Wesley",
  publisher =    "\url{http://download.oracle.com/javase/7/specs/jls/JLS-JavaSE7.pdf}",
  year =         2011,
  OMITaddress =	 "Boston, MA",
  edition = 	 "{Java SE 7}",
  note = 	 "``2011-07-15 Full'' version",
}

@Book{GoslingJSBB2012,
  author =       "James Gosling and Bill Joy and Guy Steele and Gilad Bracha and Alex Buckley",
  title =        "The Java Language Specification",
  OMITpublisher =    "Addison Wesley",
  publisher =    "\url{http://docs.oracle.com/javase/specs/jls/se7/jls7.pdf}",
  year =         2012,
  OMITaddress =	 "Boston, MA",
  edition = 	 "{Java SE 7}",
}

@Book{ArnoldGH2000,
  author =	 "Ken Arnold and James Gosling and David Holmes",
  title = 	 "The Java Programming Language",
  publisher = 	 "Addison Wesley",
  year = 	 2000,
  address =	 "Boston, MA",
  edition =	 "Third"
}



@Book{Bloch2001,
  author = 	 "Joshua Bloch",
  title = 	 "Effective {Java} Programming Language Guide",
  publisher = 	 "Addison Wesley",
  year = 	 "2001",
  address = 	 "Boston, MA",
}


@Misc{JavaCommunity,
  key = 	 "Sun",
  OPTauthor = 	 "",
  title = 	 "Sun {Java} Community Source License Website",
  howpublished = "\url{http://www.sun.com/software/java2/}",
  OPTmonth = 	 "",
  OPTyear = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}

@Misc{JavaCC,
  OPTkey = 	 "",
  author = 	 "Sreeni Viswanadha and Sriram Sankar",
  OPTtitle = 	 "",
  howpublished = "\url{http://www.experimentalstuff.com/Technologies/JavaCC/}",
  OPTmonth = 	 "",
  OPTyear = 	 "",
  OPTnote = 	 "",
  OPTannote = 	 ""
}


@Book{Stroustrup00:CPL,
  author =	 "Bjarne Stroustrup",
  title = 	 "The C++ Programming Language",
  publisher = 	 "Addison-Wesley",
  year = 	 2000,
  address =	 "Boston, MA",
  edition =	 "Special"
}




@Article{Goldberg01,
  author =	 "Carey Goldberg",
  title =	 "Auditing Classes at {M.I.T.}, on the Web and Free",
  journal =	 "New York Times",
  year = 	 2001,
  month =	 apr # "~4,"
}


@Book{Gronlund91,
  author =	 "Norman E. Gronlund",
  title = 	 "How to Write and Use Instructional Objectives",
  publisher = 	 "Prentice Hall",
  year = 	 1991,
  OPTaddress = 	 "",
}


@Book{Yin94,
  author =	 "Robert K. Yin",
  title = 	 "Case Study Research:  Design and Methods",
  publisher = 	 "Sage Publications",
  year = 	 1994,
  series =	 "Applied Social Research Methods",
  volume =	 5,
  address =	 "Thousand Oaks, CA",
  edition =	 "Second"
}



@Book{Jacobson97GJ,
  author =	 "Ivar Jacobson and Martin L. Griss and Patrik Jonsson",
  title = 	 "Software Reuse: Architecture, Process and Organization
		  for Business Success",
  publisher = 	 "Addison-Wesley",
  year = 	 1997
}

@Article{Krueger92,
  author = 	 "Charles W. Krueger",
  title = 	 "Software reuse",
  journal = 	 "ACM Computing Surveys",
  year = 	 1992,
  volume =	 24,
  number =	 2,
  pages =	 "131--183"
}

@Article{FrakesT96,
  author = 	 "William Frakes and Carol Terry",
  title = 	 "Software reuse: metrics and models",
  journal = 	 "ACM Computing Surveys",
  year = 	 1996,
  volume =	 28,
  number =	 2,
  pages =	 "415--435"
}


@Techreport{Garlan94SAIntroTR,
author = "David Garlan and Mary Shaw",
title = "An Introduction to Software Architecture",
key = "Garlan",
institution = "Carnegie Mellon University",
number = "CMU-CS-94-166",
month = "January",
year = 1994}

@InProceedings{Garlan93SEKE,
author = "David Garlan and Mary Shaw",
title = "An Introduction to Software Architecture",
key = "Garlan",
booktitle = "Advances in Software Engineering and Knowledge
Engineering",
year = 1993,
publisher = "World Scientific Publishing Company",
editor = "V.~Ambriola and G.~Tortora",
address = "Singapore",
pages = "1--39"
}




@Book{Myers79,
  author =	 "Glenford J. Myers",
  title = 	 "The Art of Software Testing",
  publisher = 	 "John Wiley and Sons",
  year = 	 1979
}

@Article{Schach:1996:TPP,
  author =       "Stephen R. Schach",
  title =        "Testing: principles and practice",
  journal =      "ACM Computing Surveys",
  volume =       "28",
  number =       "1",
  pages =        "277--279",
  month =        mar,
  year =         "1996",
  coden =        "CMSVAN",
  ISSN =         "0360-0300",
  bibdate =      "Thu Jun 26 16:49:57 MDT 1997",
  url =          "http://www.acm.org/pubs/toc/Abstracts/surveys/234422.html;
                 http://www.acm.org/pubs/citations/journals/surveys/1996-28-1/p277-schach/",
  keywords =     "languages; software engineering; testing and
                 debugging.; theory; verification; {\bf d.2.5}:
                 software",
  subject =      "{\bf D.2.5}: Software, SOFTWARE ENGINEERING, Testing
                 and Debugging.",
}


@Book{MotwaniR97,
  author =       "Rajeev Motwani and Prabhakar Raghavan",
  title =        "Randomized Algorithms",
  publisher =    "Cambridge University Press",
  year =         "1997",
}


@Misc{NTRS94,
  author =	 "{Semiconductor Industry Association}",
  title =	 "The National Technology Roadmap for Semiconductors",
  howpublished = "San Jose, CA",
  year =	 1994
}


@TechReport{RFC1094,
  author = 	 "{Sun Microsystems, Inc.}",
  title = 	 "{NFS}: Network file system protocol specification",
  institution =  "Network Information Center, SRI International",
  year = 	 1989,
  type =	 "RFC",
  number =	 1094,
  month =	 mar
}



@Misc{DieHardWithAVengeance,
  OPTkey = 	 "",
  author = 	 "John McTiernan",
  title = 	 "{Die Hard: With a Vengeance}",
  howpublished = "20th Century Fox",
  OPTmonth = 	 "",
  year = 	 "1995",
  OPTnote = 	 "",
  OPTannote = 	 ""
}

@InProceedings{BriandYS2002,
  author =       "Lionel C. Briand and Yvan Labiche and Hong Sun",
  title =        "Investigating the Use of Analysis Contracts to Support
                 Fault Isolation in Object Oriented Code",
  booktitle =	 ISSTA2002,
  pages =	 "70--80",
  year =	 2002,
  address =	 ISSTA2002addr,
  month =	 ISSTA2002date,
  abstract =
   "A number of activities involved in testing software are known to be
    difficult and time consuming. Among them is the isolation of faults once
    failures have been detected. In this paper, we investigate how the
    instrumentation of contracts could address this issue. Contracts are
    known to be a useful technique to specify the precondition and
    postcondition of operations and class invariants, thus making the
    definition of object-oriented analysis or design elements more
    precise. Our aim in this paper is to reuse and instrument contracts to
    ease testing. A thorough case study is run where we define contracts,
    instrument them using a commercial tool, and assess the benefits and
    limitations of doing so to support the isolation of faults. We then draw
    practical conclusions regarding the applicability of the approach and
    its limitations."
}



@InProceedings{BaudryLTJ2001,
  author = 	 "Benoit Baudry and Yves {Le Traon} and
                  Jean-Marc J{\'e}z{\'e}quel",
  title = 	 "Robustness and diagnosability of {OO} systems designed by
                  contracts",
  booktitle =	 "Proc of the Seventh International Software Metrics
                  Symposium METRICS",
  pages =	 "272--284",
  year =	 2001,
  address =	 "London",
  month =	 apr
}


@Article{Yellin2003,
  author = 	 "Daniel M. Yellin",
  title = 	 "Competitive algorithms for the dynamic selection of
                  component implementations",
  journal = 	 "IBM Systems Journal",
  year = 	 2003,
  volume =	 42,
  number =	 1,
  pages =	 "85--97",
  abstract =
   "As component-based development matures, more and more applications are
    built by integrating multiple distributed components. We suggest providing
    components with multiple implementations, each optimized for a particular
    workload, and augmenting the component run-time environment with a
    mechanism for switching between implementations. This mechanism monitors
    the types of requests the component is receiving, and adaptively switches
    implementations for optimal application performance. Achieving this optimal
    performance depends on making good choices as to when and how to switch
    implementations, a problem we refer to as the adaptive component
    problem. We first formalize the generic problem, and then provide an
    algorithm, named Delta, for switching implementations in the special case
    when the component has exactly two implementations. We show that this
    algorithm is (3+epsilon)-competitive with respect to the optimal algorithm,
    where epsilon is a small fraction. We establish a 3-competitive lower bound
    for the problem, which implies that Delta is close to optimal. We describe
    two applications of these results to the distributed pub/sub problem, and
    the data structure selection problem.",
}


@InProceedings{BallMMR2001,
  author = 	 "Thomas Ball and Rupak Majumdar and Todd Millstein and Sriram K. Rajamani",
  title = 	 "Automatic predicate abstraction of {C} programs",
  booktitle =	 PLDI2001,
  pages =	 "203--213",
  year =	 2001,
  address =	 PLDI2001addr,
  month =	 PLDI2001date
}


@InProceedings{FreundS96,
  author = 	 "Yoav Freund and Robert E. Schapire",
  title = 	 "Experiments with a new boosting algorithm",
  booktitle =	 ICML96,
  pages =	 "148--156",
  year =	 1996,
  address =	 ICML96addr,
  month =	 ICML96date
}


%%%
%%% Web services composition
%%%

@Misc{BPEL4WS,
  key = 	 "BPEL4WS",
  title = 	 "{Business Process Execution Language for Web Services}",
  howpublished = "\url{http://www.ibm.com/developerworks/library/specification/ws-bpel/}",
  month = 	 jul # "~30,",
  year = 	 2002,
  note = 	 "Version 1.1 (updated " # feb # "~1, 2006)",
}

@InProceedings{DongHMNZ2004,
  author = 	 "Xin Dong and Alon Halevy and Jayant Madhavan and Ema Nemes and Jun Zhang",
  title = 	 "Similarity search for Web Services",
  booktitle = VLDB2004,
  pages = 	 "372--383",
  year = 	 2004,
  address = 	 VLDB2004addr,
  month = 	 VLDB2004date,
}

@InProceedings{KimG2004,
  author = 	 "Jihie Kim and Yolanda Gil",
  title = 	 "Towards interactive composition of Semantic Web Services",
  booktitle =    SSSW2004,
  NEEDpages = 	 "*",
  year = 	 2004,
  address = 	 SSSW2004addr,
  month = 	 SSSW2004date,
}

@InProceedings{LassilaD2004,
  author = 	 "Ora Lassila and Sapna Dixit",
  title = 	 "Interleaving discovery and composition for simple workflows",
  booktitle = SSSW2004,
  NEEDpages = 	 "*",
  year = 	 2004,
  address = 	 SSSW2004addr,
  month = 	 SSSW2004date,
}

@InProceedings{MajithiaSTW2004,
  author = 	 "Shalil Majithia and Matthew Shields and Ian Taylor and Ian Wang",
  title = 	 "Triana: A graphical Web Service composition and execution toolkit",
  booktitle = ICWS2004,
  pages = 	 514,
  year = 	 2004,
  address = 	 ICWS2004addr,
  month = 	 ICWS2004date,
}

@InProceedings{PaolucciKPS2002,
  author = 	 "Massimo Paolucci and Takahiro Kawamura and Terry R. Payne and Katia P. Sycara",
  title = 	 "Semantic matching of Web Services capabilities",
  booktitle = ISWC2002,
  pages = 	 "333--347",
  year = 	 2002,
  address = 	 ISWC2002addr,
  month = 	 ISWC2002date,
}

@InProceedings{PistoreBCMT2004,
  author = 	 "M. Pistore and P. Bertoli and E. Cusenya and A. Marconi and P. Traverso",
  title = 	 "{WS-GEN}: A tool for the automated composition of Semantic Web Services",
  booktitle = ISWC2004,
  NEEDpages = 	 "*",
  year = 	 2004,
  address = 	 ISWC2004addr,
  month = 	 ISWC2004date,
  note =         "demo paper",
}

@InProceedings{RaoKM2004,
  author = 	 "Jinghai Rao and Peep K{\"u}ngas and Mihhail Matskin",
  title = 	 "Logic-based Web Service composition: From service description to process model",
  booktitle = ICWS2004,
  NEEDpages = 	 "*",
  year = 	 2004,
  address = 	 ICWS2004addr,
  month = 	 ICWS2004date,
}

@InProceedings{SirinHP2003,
  author = 	 "Evren Sirin and James A. Hendler and Bijan Parsia",
  title = 	 "Semi-automatic composition of web services using semantic descriptions",
  booktitle = WSMAI2003,
  pages = 	 "17--24",
  year = 	 2003,
  address = 	 WSMAI2003addr,
  month = 	 WSMAI2003date,
}

@Article{SirinPH2004,
  author = 	 "Evren Sirin and Bijan Parsia and James Hendler",
  title = 	 "Filtering and selecting Semantic Web Services with interactive composition technologies",
  journal = 	 "IEEE Intelligent Systems",
  year = 	 2004,
  volume = 	 19,
  number = 	 4,
  pages = 	 "42--49",
  month = 	 jul # "/" # aug,
  abstract =
   "Creating novel functionality by means of composing existing Web Services is
    essential for a variety of applications. A main problem for automated Web
    Service composition is the gap between the concepts people use and the data
    computers interpret. An interactive approach overcomes this barrier using
    Semantic Web technologies. This approach uses contextual information to
    find the matching services at each step of the composition. The matches are
    filtered using ontological reasoning on the semantic descriptions of the
    services. The authors have developed a prototype on the basis of these
    ideas and tested their system by generating OWL-S descriptions for some of
    the common Web Services. The approach is also applicable to other network
    environments where devices provide their functionalities as Web Services
    and their capabilities are described using Web Ontologies.",
}

@Misc{WSDL,
  author = 	 "{World Wide Web Consortium (W3C)}",
  title = 	 "{Web Services Description Language (WSDL)}",
  howpublished = "\url{http://www.w3.org/TR/wsdl20-primer/}",
  year = 	 2006,
}

@Misc{WSA,
  author = 	 "{World Wide Web Consortium (W3C)}",
  title = 	 "{Web Services Activity}",
  howpublished = "\url{http://www.w3.org/2002/ws/}",
  year = 	 2006,
}

@Misc{XMethods.org,
  key = 	 "xmethods.org",
  howpublished = "\url{XMethods.org}",
  year = 	 2006,
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Software upgrade
%%%

@InProceedings{Devanbu99,
  author = 	 "Premkumar Devanbu",
  title = 	 "A reuse nightmare: Honey, {I} got the wrong {DLL}",
  booktitle =	 SSR99,
  OPTpages = 	 "",
  year =	 1999,
  OPTmonth = 	 "",
  address =	 "Los Angeles, CA, USA",
  note =	 "Panel position statement"
}






%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Generating code from specifications
%%%

% References in this section may have example code for which invariants are
% known; such code could be a good input to our system.



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Education
%%%

@InProceedings{SIGCSE98*166,
  author =       "Guy Tremblay",
  title =        "An Undergraduate Course in Formal Methods:
                 ``{D}escription is Our Business''",
  searchabletitle = "An Undergraduate Course in Formal Methods:
                 ``Description is Our Business''",
  pages =        "166--170",
  ISSN =         "0097-8418",
  booktitle =    SIGCSE98,
  month =        SIGCSE98date,
  series =       "SIGCSE Bulletin",
  volume =       "30(1)",
  address =      "New York",
  year =         1998,
}


@Article{Wing:1990:SIF,
  author =       "Jeannette M. Wing",
  title =        "A Specifier's Introduction to Formal Methods",
  journal =      "Computer",
  volume =       "23",
  number =       "9",
  pages =        "8, 10--22, 24",
  month =        sep,
  year =         "1990",
  coden =        "CPTRB4",
  ISSN =         "0018-9162",
  bibdate =      "Sat Feb 1 16:21:14 MST 1997",
  abstract =     "Applied to computer systems development, formal
                 methods provide mathematically based techniques that
                 describe system properties. As such, they present a.
                 framework for systematically specifying, developing,
                 and verifying systems.",
  affiliation =  "Sch. of Comput. Sci., Carnegie Mellon Univ.,
                 Pittsburgh, PA, USA",
  classification = "723; C6110B (Software engineering techniques); C6120
                 (File organisation); C6140D (High level languages)",
  journalabr =   "Computer",
  keywords =     "Computer Metatheory--Algorithmic Languages; Computer
                 Software; Computer system development; CSP; Formal
                 methods; Formal Methods; Formal specification
                 languages; Formal Specification Languages; Larch;
                 Mathematically based techniques; Software Engineering;
                 System properties; Temporal logic; Transition axioms;
                 VDM; Z",
  thesaurus =    "Data structures; Formal specification; Specification
                 languages",
}


@InProceedings{SIGCSE00*157,
  author =       "Ann Sobel",
  title =        "Empirical Results of a Software Engineering Curriculum
                 Incorporating Formal Methods",
  pages =        "157--161",
  booktitle =    SIGCSE2000,
  year =         2000,
  address =      SIGCSE2000addr,
  month =        SIGCSE2000date
}

@InProceedings{Sigce01*21,
  author =       "David Ginat",
  title =        "Misleading Intuition in Algorithmic Problem Solving",
  pages =        "21--25",
  booktitle =    SIGCSE2001,
  month =        SIGCSE2001date,
  series =       "ACM SIGCSE Bulletin",
  volume =       "33(1)",
  address =      "New York",
  year =         2001,
}


@InProceedings{Odekirk00,
  author = 	 "Elizabeth Odekirk",
  title = 	 "Analyzing student programs",
  booktitle = 	 ITCSE00,
  pages = 	 191,
  year = 	 2000,
  address = 	 ITCSE00addr,
  month = 	 ITCSE00date
}



@InProceedings{WeberWulff00,
  author = 	 "Debora Weber-Wulff",
  title =        "Combating the code warrior: A different sort of
                 programming instruction",
  booktitle = 	 ITCSE00,
  pages =        "85--88",
  year =         2000,
  address = 	 ITCSE00addr,
  month = 	 ITCSE00date
}

@InProceedings{BiddleMWTV98,
  author = 	 "Robert Biddle and John Miller-Williams and Ewan Tempero and Eduard Vaks",
  title = 	 "Tools to aid learning reusability",
  booktitle = 	 "Australasian Conference on Computer Science Education",
  pages =	 127,
  year =	 1998,
  address =	 "Brisbane, Queensland, Australia",
  month =	 jul # " 8--10,"
}


@Book{Boyer98,
  author =	 "{Boyer Commission on Educating Undergraduates in the
		  Research University}",
  title = 	 "Reinventing Undergraduate Education:  A Blueprint for
		  America's Research Universities",
  publisher = 	 "Carnegie Foundation for the Advancement of Teaching",
  year = 	 1998,
  address =	 "Menlo Park, CA"
}


@Book{Flagg90,
  author =	 "Barbara N. Flagg",
  title = 	 "Formative Evaluation for Educational Technologies",
  publisher = 	 "Lawrence Erlbaum",
  year = 	 1990,
  address =	 "Hillsdale, NJ"
}



@InCollection{Scriven91,
  author =	 "Michael Scriven",
  title = 	 "Beyond formative and summative evaluation",
  booktitle = 	 "Program Evaluation",
  editor =	 "Margaret E. Gredler",
  publisher = 	 "Prentice Hall",
  year = 	 1996,
  address =	 "New Jersey",
  pages =	 16
}



@Article{Morrow94,
  author = 	 "Richard M. Morrow",
  title = 	 "Issues facing engineering education",
  journal = 	 "Journal of Engineering Education",
  year = 	 1994,
  volume =	 83,
  number =	 1,
  pages =	 15
}



@Book{Tucker91,
  editor =	 "Allen B. Tucker",
  title = 	 "Computing Curricula 1991: Report of the ACM/IEEE-CS Joint
		  Curriculum Task Force",
  publisher = 	 "ACM Press",
  year = 	 1991,
  address =	 "New York, NY"
}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Differential program analysis
%%%

% (Also see spectra?)

@InProceedings{WinsteadE2003,
  author = 	 "Joel Winstead and David Evans",
  title = 	 "Towards differential program analysis",
  booktitle =	 WODA2003,
  pages =	 "37--40",
  year =	 2003,
  address =	 WODA2003addr,
  month =	 WODA2003date,
  abstract =
   "Differential Program Analysis is the task of analyzing two related programs
    to determine the behavioral difference between them. One goal is to find an
    input for which the two programs will produce different outputs, thus
    illustrating the behavioral difference between the two programs. Because
    the general problem is undecidable, an unsound or incomplete analysis is
    necessary. A combination of static and dynamic techniques may be able to
    produce useful results for typical programs, by conducting a search for
    differentiating inputs guided by heuristics. This paper defines the
    problem, describing what would be necessary for this kind of analysis, and
    presents preliminary results illustrating the potential of this technique."
}



@InProceedings{Notkin2002,
  author = 	 "David Notkin",
  title = 	 "Longitudinal program analysis",
  booktitle =	 PASTE2002,
  pages =	 "1--1",
  year =	 2002,
  address =	 PASTE2002addr,
  month =	 PASTE2002date,
  doi = {http://doi.acm.org/10.1145/586094.586095},
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Program steering
%%%





@TechReport{GuVS94:TR,
  author = 	 "Weiming Gu and Jeffrey Vetter and Karsten Schwan",
  title = 	 "An annotated bibliography of interactive program steering",
  institution =  "College of Computing, Georgia Institute of Technology",
  year = 	 1994,
  OPTkey = 	 "",
  OPTtype = 	 "",
  number = 	 "GIT-CC-94-15",
  address = 	 "Atlanta, GA, USA",
  month = 	 nov # "~1,",
  OPTnote = 	 "",
  OPTannote = 	 "",
  supersedes =   "GuVS94:SIGPLAN",
  abstract =
   "This annotated bibliography reviews current research in dynamic and
    interactive program steering. In particular, we review
    systems-related research addressing dynamic program steering, raising
    issues in operating and language systems, mechanisms and algorithms
    for dynamic program adaptation, program monitoring and the associated
    data storage techniques, and the design of dynamically steerable or
    adaptable programs. We define program steering as the capacity to
    control the execution of long-running, resource-intensive programs.
    Dynamic program steering consists of two separable tasks: monitoring
    program or system state (monitoring) and then enacting program
    changes made in response to observed state changes (steering).",
}


@Article{GuVS94:SIGPLAN,
  author = 	 "Weiming Gu and Jeffrey Vetter and Karsten Schwan",
  title = 	 "An annotated bibliography of interactive program steering",
  journal = 	 SIGPLAN,
  year = 	 1994,
  volume =	 29,
  number =	 9,
  pages =	 "140--148",
  month = 	 sep
}


@Article{GhiethS93,
  author = 	 "Ahmed Ghieth and Karsten Schwan",
  title = 	 "{CHAOS-Arc} -- Kernel support for multi-weight objects,
                  invocations, and atomicity in real-time applications",
  journal = 	 "ACM Transactions on Computer Systems",
  year = 	 1993,
  volume =	 11,
  number =	 1,
  pages =	 "33--72",
  month =	 apr
}

@InProceedings{EisenhauerS98,
  author = 	 "Greg Eisenhauer and Karsten Schwan",
  title = 	 "An object-based infrastructure for program monitoring and
                  steering",
  booktitle =	 SPDT98,
  pages =	 "10--20",
  year =	 1998,
  address =	 SPDT98addr,
  month =	 SPDT98date
}


@InProceedings{MillerGKX01,
  author = 	 "David W. Miller and Jinhua Guo and Eileen Kraemer and Yin
                  Xiong",
  title = 	 "On-the-fly calculation and verification of consistent
                  steering transactions",
  booktitle =	 SC2001,
  pages =	 "1--17",
  year =	 2001,
  address =	 SC2001addr,
  month =	 SC2001date
}


@InProceedings{Parker95J,
  author = 	 "Steven G. Parker and Christopher R. Johnson",
  title = 	 "{SCIRun}: a scientific programming environment for
                  computational steering",
  booktitle =	 SC1995,
  OPTOPTpages = 	 "",
  year =	 1995,
  address =	 SC1995addr,
  month =	 SC1995date
}




@InProceedings{LiuCBK01,
  author = 	 "Jinfeng Liu and Pai H. Chou and Nader Bagherzadeh and
                  Fadi Kurdahi",
  title = 	 "A constraint-based application model and scheduling
                  techniques for power-aware systems",
  booktitle =	 CODES2001,
  pages =	 "153--158",
  year =	 2001,
  address =	 CODES2001addr,
  month = 	 CODES2001date,
  abstract =
   "New embedded systems must be power-aware, not just low-power. That is, they
    must track their power sources and the changing power and performance
    constraints imposed by the environment. Moreover, they must fully explore
    and integrate many novel power management techniques. Unfortunately, these
    techniques are often incompatible with each other due to overspecialized
    formulations or they fail to consider system-wide issues. This paper
    proposes a new graph-based model to integrate novel power management
    techniques and facilitate design-space exploration of power-aware embedded
    systems. It captures min/max timing and min/max power constraints on
    computation and non-computation tasks through a new constraint
    classification and enables derivation of flexible system-level
    schedules. We demonstrate the effectiveness of this model with a
    power-aware scheduler on real mission-critical applications. Experimental
    results show that our automated techniques can improve performance and
    reduce energy cost simultaneously. The application model and scheduling
    tool presented in this paper form the basis of the IMPACCT system-level
    framework that will enable designers to aggressively explore many
    power-performance trade-offs with confidence."
}


@InProceedings{RichterZETT99,
  author = 	 "K. Richter and D. Ziegenbein and R. Ernst and L. Thiele
                  and J. Teich",
  title = 	 "Representation of function variants for embedded system
                  optimization and synthesis",
  booktitle =	 DAC99,
  pages =	 "517--522",
  year =	 1999,
  address =	 DAC99addr,
  month =	 DAC99date
}


@InProceedings{LiuZ2003,
  author = 	 "Peng Liu and Wanyu Zang",
  title = 	 "Incentive-based modeling and inference of attacker
                  intent, objectives, and strategies",
  booktitle =	 "Proceedings of the 10th ACM conference on Computer and
                  communication security",
  pages =	 "179--189",
  year =	 2003,
  address =	 "Washington D.C., USA",
  month =	 oct # "~27--30,"
}


@Article{BalanAS2002,
  author = 	 "Rajesh Krishna Balan and Aditya Akella and Srini Seshan",
  title = 	 "Multi-modal network protocols",
  journal = 	 "SIGCOMM Comput. Commun. Rev.",
  year = 	 2002,
  volume =	 32,
  number =	 1,
  pages =	 "60--60",
  month =	 jan
}

@InProceedings{Debenham2000,
  author = 	 "John Debenham",
  title = 	 "A multi-agent architecture for process management
                  accommodates unexpected performance",
  booktitle =	 SAC2000,
  pages =	 "15--19",
  year =	 2000,
  address =	 SAC2000addr,
  month =	 SAC2000date,
  abstract =
   "A generic process agent architecture is used to build systems for business
    process management. The architecture is a three-layer BDI, hybrid
    architecture. The agents in this system attempt to make choices in line
    with corporate priorities. Choices are made on the basis of estimates of
    the values of particular parameters. These estimates are accepted as long
    as they are statistically stable. If variations in these estimates lie
    outside specified limits then the system attempts to deduce why this is
    so. If it is unable to deduce a reason then it asks for one. If the reason
    for an unexpected measurement is quantifiable then the reason is used to
    revise subsequent measurements while that reason remains significant. The
    architecture has been trialed on emergent process management in a
    university administrative context.",
}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Not directly relevant
%%%




@InProceedings{MICRO97*259,
  author =       "Brad Calder and Peter Feller and Alan Eustace",
  title =        "Value Profiling",
  pages =        "259--269",
  ISBN =         "0-8186-7977-8",
  booktitle =    MICRO97,
  month =        dec # "~1--3,",
  year =         "1997",
  address =      MICRO97addr,
}





@Article{CalderFE:JILP,
  author = 	 "Brad Calder and Peter Feller and Alan Eustace",
  title = 	 "Value Profiling and Optimization",
  journal = 	 "Journal of Instruction Level Parallelism",
  year = 	 1999,
  volume = 	 1,
  month = 	 mar,
  note =         "\url{http://www.jilp.org/vol1/}"
}


@Article{Calder:1997:ESB,
  author =       "Brad Calder and Dirk Grunwald and Michael Jones and
                 Donald Lindsay and James Martin and Michael Mozer and
                 Benjamin Zorn",
  title =        "Evidence-Based Static Branch Prediction Using Machine
                 Learning",
  journal =      "ACM Transactions on Programming Languages and
                 Systems",
  volume =       19,
  number =       1,
  pages =        "188--222",
  month =        jan,
  year =         1997,
  coden =        "ATPSDT",
  ISSN =         "0164-0925",
  bibdate =      "Wed Mar 12 08:06:48 MST 1997",
  url =          "http://www.acm.org/pubs/citations/journals/toplas/1997-19-1/p188-calder/",
  keywords =     "algorithms; languages; measurement; performance",
  subject =      "{\bf I.2.6}: Computing Methodologies, ARTIFICIAL
                 INTELLIGENCE, Learning, Parameter learning. {\bf C.4}:
                 Computer Systems Organization, PERFORMANCE OF SYSTEMS,
                 Measurement techniques. {\bf D.3.4}: Software,
                 PROGRAMMING LANGUAGES, Processors, Compilers. {\bf
                 D.3.4}: Software, PROGRAMMING LANGUAGES, Processors,
                 Optimization. {\bf I.2.6}: Computing Methodologies,
                 ARTIFICIAL INTELLIGENCE, Learning, Connectionism and
                 neural nets.",
  abstract =
   "Correctly predicting the direction that branches will take is
    increasingly important in today's wide-issue computer architectures. The
    name {\em program-based\/} branch prediction is given to static branch
    prediction techniques that base their prediction on a program's
    structure. In this article, we investigate a new approach to program-based
    branch prediction that uses a body of existing programs to predict the
    branch behavior in a new program. We call this approach to program-based
    branch prediction {\em evidence-based static prediction\/}, or ESP. The
    main idea of ESP is that the behavior of a corpus of programs can be used
    to infer the behavior of new programs. In this article, we use neural
    networks and decision trees to map static features associated with each
    branch to a prediction that the branch will be taken. ESP shows significant
    advantages over other prediction mechanisms.  Specifically, it is a
    program-based technique; it is effective across a range of programming
    languages and programming styles; and it does not rely on the use of
    expert-defined heuristics. In this article, we describe the application of
    ESP to the problem of static branch prediction and compare our results to
    existing program-based branch predictors. We also investigate the
    applicability of ESP across computer architectures, programming languages,
    compilers, and run-time systems.  We provide results showing how sensitive
    ESP is to the number and type of static features and programs included in
    the ESP training sets, and we compare the efficacy of static branch
    prediction for subroutine libraries. Averaging over a body of 43 C and
    Fortran programs, ESP branch prediction results in a miss rate of 20\%, as
    compared with the 25\% miss rate obtained using the best existing
    program-based heuristics.",
}


@InProceedings{SodaniS98,
  author =       "Avinash Sodani and Gurindar S. Sohi",
  title =        "An Empirical Analysis of Instruction Repetition",
  booktitle =    ASPLOS98,
  year =         "1998",
  address =      ASPLOS98addr,
  month =        ASPLOS98date,
  pages =        "35--45"
}


@inproceedings{RossonOO,
    AUTHOR="Mary Beth Rosson and John M. Carroll",
    TITLE="Active Programming Strategies in Reuse",
    BOOKTITLE="ECOOP '93, 7th European Conference on Object-Oriented Programming",
    PAGES="4--20",
    YEAR ="1993"
    }
















@Article{Letovsky:1986:DPP,
  author =       "Stanley Letovsky and Elliot Soloway",
  title =        "Delocalized Plans and Program Comprehension",
  journal =      "IEEE Software",
  volume =       "3",
  number =       "3",
  pages =        "41--49",
  month =        may,
  year =         "1986",
  coden =        "IESOEG",
  ISSN =         "0740-7459",
  bibdate =      "Sat Jan 25 07:35:26 MST 1997",
  affiliationaddress = "Yale Univ, New Haven, CT, USA",
  classification = "723",
  journalabr =   "IEEE Software",
  keywords =     "cognitive analysis; computer programming; computer
                 software; program comprehension; Software Engineering;
                 software maintenance",
}


@Article{ChangPohua1991a,
  author =       "Pohua P. Chang and Scott A. Mahlke and Hwu, Wen-mei W.",
  journal =      "Software Practice and Experience",
  title =        "Using Profile Information to Assist Classic Code
                 Optimizations",
  year =         "1991",
  url =          "ftp://ftp.crhc.uiuc.edu/pub/IMPACT/journal/spe.profile-classic.91.ps",
  scope =        "opt",
}





@Article{Ryan59,
  author = 	 "T. A. Ryan",
  title = 	 "Multiple comparisons in psychological research",
  journal = 	 "Psychological Bulletin",
  year = 	 1959,
  volume =	 56,
  pages =	 "26--47"
}



%%% Clustering


@Article{JainMF99,
  author = 	 "A. K. Jain and M. N. Murty and P. J. Flynn",
  title = 	 "Data clustering: A review",
  journal = 	 "ACM Computing Surveys",
  year = 	 1999,
  volume =	 31,
  number =	 3,
  pages =	 "264--323",
  month =	 sep
}

@Book{JainD88,
  author =       "Anil K. Jain and Richard C. Dubes",
  title =        "Algorithms for clustering data",
  publisher =    "Prentice-Hall Inc.",
  address =      "Englewood Cliffs, NJ",
  year =         1988,
  OPTpages =        "xiv+320",
  ISBN =         "0-13-022278-X",
  mrclass =      "68T10 (62-07 62H30 68U10)",
  mrnumber =     "91h:68155",
  mrreviewer =   "Guna Seetharaman",
}

@InProceedings{PellegMoore2000,
  author =       "Dan Pelleg and Andrew Moore",
  title =        "${X}$-means: Extending ${K}$-means with efficient
                 estimation of the number of clusters",
  booktitle =    "Proc. 17th International Conf. on Machine Learning",
  OPTpublisher =    "Morgan Kaufmann, San Francisco, CA",
  year =         "2000",
  pages =        "727--734",
}


@Article{PodgurskiMMWY99,
  author = 	 "Andy Podgurski and Wassim Masri and Yolanda McCleese and Francis G. Wolff and Charles Yang",
  title = 	 "Estimation of software reliability by stratified sampling",
  journal = 	 tosem,
  year = 	 1999,
  volume =	 8,
  number =	 3,
  pages =	 "263--283",
  month =	 jul
}


@InProceedings{DickinsonLP2001:ICSE,
  author = 	 "William Dickinson and David Leon and Andy Podgurski",
  title =        "Finding Failures by Cluster Analysis of Execution Profiles",
  pages =        "339--348",
  booktitle =    icse2001,
  month =        icse2001date,
  address =      icse2001addr,
  year =         "2001",
}


@InProceedings{DickinsonLP2001:FSE,
  author = 	 "William Dickinson and David Leon and Andy Podgurski",
  title = 	 "Pursuing failure: the distribution of program failures in a profile space",
  booktitle = 	 fse2001,
  pages =	 "246--255",
  year =	 2001,
  month =        FSE2001date,
  address =	 FSE2001addr,
  abstract =
   "Observation-based testing calls for analyzing profiles of executions
    induced by potential test cases, in order to select a subset of executions
    to be checked for conformance to requirements. A family of techniques for
    selecting such a subset is evaluated experimentally. These techniques
    employ automatic cluster analysis to partition executions, and they use
    various sampling techniques to select executions from clusters. The
    experimental results support the hypothesis that with appropriate
    profiling, failures often have unusual profiles that are revealed by
    cluster analysis. The results also suggest that failures often form small
    clusters or chains in sparsely-populated areas of the profile space. A form
    of adaptive sampling called failure-pursuit sampling is proposed for
    revealing failures in such regions, and this sampling method is evaluated
    experimentally. The results suggest that failure-pursuit sampling is
    effective.",
}


@InProceedings{ChenZ81,
  author = 	 "Eric Chen and Marvin V. Zelkowitz",
  title = 	 "Use of cluster analysis to evaluate software engineering methodologies",
  booktitle = 	 icse81,
  pages =	 "117--124",
  year = 	 1981,
  address = 	 "San Diego, CA",
  month =	 mar
}




@PhdThesis{Rifkin2002,
  author = 	 "Rifkin, Ryan Michael",
  title = 	 "Everything Old Is New Again: A Fresh Look at Historical
                  Approaches in Machine Learning",
  school = 	 MITSloan,
  year = 	 2002,
  address =	 MITaddr,
  month =	 sep
}

@InCollection{SVMlight,
  author = 	 "Thorsten Joachims",
  title = 	 "Making large-scale {SVM} learning practical",
  booktitle = 	 "Advances in Kernel Methods --- Support Vector Learning",
  publisher =    "MIT Press",
  year = 	 1998,
  editor = 	 "Bernhard Sch{\"o}lkopf and Christopher J. C. Burges and Alexander Smola",
  chapter = 	 11,
  address = 	 "Cambridge, MA"
}

@Misc{C5.0,
  author = 	 {J. Ross Quinlan},
  title = 	 {Information on {See5} and {C5.0}},
  howpublished = {\url{http://www.rulequest.com/see5-info.html}},
  year = 	 2003,
  month =        aug
}

@Book{Quinlan93,
  author =	 "J. Ross Quinlan",
  title = 	 "C4.5: Programs for Machine Learning",
  publisher = 	 "Morgan Kaufmann",
  year = 	 1993,
  OPTaddress = 	 "",
}


@Article{ProvostD2003,
  author = 	 "Foster Provost and Pedros Domingos",
  title = 	 "Tree induction for probability-based ranking",
  journal = 	 "Machine Learning",
  year = 	 2003,
  volume =	 52,
  number =	 3,
  pages =	 "199--216",
  month =	 sep,
  abstract =
   "Tree induction is one of the most effective and widely used methods for
    building classification models. However, many applications require cases to
    be ranked by the probability of class membership. Probability estimation
    trees (PETs) have the same attractive features as classification trees
    (e.g., comprehensibility, accuracy and efficiency in high dimensions and on
    large data sets). Unfortunately, decision trees have been found to provide
    poor probability estimates. Several techniques have been proposed to build
    more accurate PETs, but, to our knowledge, there has not been a systematic
    experimental analysis of which techniques actually improve the
    probability-based rankings, and by how much. In this paper we first discuss
    why the decision-tree representation is not intrinsically inadequate for
    probability estimation. Inaccurate probabilities are partially the result
    of decision-tree induction algorithms that focus on maximizing
    classification accuracy and minimizing tree size (for example via
    reduced-error pruning). Larger trees can be better for probability
    estimation, even if the extra size is superfluous for accuracy
    maximization. We then present the results of a comprehensive set of
    experiments, testing some straightforward methods for improving
    probability-based rankings. We show that using a simple, common smoothing
    method?the Laplace correction?uniformly improves probability-based
    rankings. In addition, bagging substantially improves the rankings, and is
    even more effective for this purpose than for improving accuracy. We
    conclude that PETs, with these simple modifications, should be considered
    when rankings based on class-membership probability are required.",
}


@Book{SVM,
  author =	 {Nello Christianini and John Shawe-Taylor},
  title = 	 {An Introduction To Support Vector Machines (and other kernel-based learning methods)},
  publisher = 	 {Cambridge University Press},
  year = 	 2000
}



@InProceedings{EnglerCHCC01,
  author = 	 "Dawson Engler and David Yu Chen and Seth Hallem and Andy Chou and Benjamin Chelf",
  title = 	 "Bugs as deviant behavior: a general approach to inferring errors in systems code",
  booktitle = 	 SOSP2001,
  pages =	 "57--72",
  year =	 2001,
  address =	 SOSP2001addr,
  month =	 SOSP2001date
}


@InProceedings{XieE2002:FSE,
  author = 	 "Yichen Xie and Dawson Engler",
  title = 	 "Using Redundancies to find errors",
  booktitle =	 FSE2002,
  pages =	 "51--60",
  year =	 2002,
  address =	 FSE2002addr,
  month =	 FSE2002date
}











@Article{BaconGS94,
  author = 	 "David F. Bacon and Susan L. Graham and Oliver J. Sharp",
  title = 	 "Compiler transformations for high-performance computing",
  journal = 	 CSUR,
  year = 	 1994,
  volume =	 26,
  number =	 4,
  pages =	 "345--420",
  month =	 dec
}



@TechReport{Stata97:PhD-TR,
  author = 	 "Raymie Stata",
  title = 	 "Modularity in the Presence of Subclassing",
  institution =  MITLCS,
  year = 	 1997,
  number =	 "MIT-LCS-TR-711",
  address =	 MITaddr,
  month =	 apr # "~1,",
  note =	 "Revision of PhD thesis"
}


@TechReport{Parnas-Wang89,
  key =          "Parnas \& Wang",
  author =       "David Lorge Parnas and Yabo Wang",
  title =        "The Trace Assertion Method of Module Interface
                 Specification",
  month =        oct,
  year =         "1989",
  number =       "89-261",
  institution =  "Department of Computing and Information Science,
                 Queen's University at Kingston",
  address =      "Kingston, Ontario, Canada",
  annote =       "Reference and summary of the trace assertion method.
                 18 references.",
}


@InProceedings{BartussekP78,
  author = 	 "Wolfram Bartussek and David L. Parnas",
  title = 	 "Using traces to write abstract specifications for
                  software modules",
  booktitle =	 "Proc. 2nd Conference of European Cooperation in Informatics",
  pages =	 "211--236",
  year =	 1978,
  month =	 oct # "~10--12,",
  OPTnote =	 "Reprinted in Gehani, N., McGettrick, A.D. (Eds.), Software Specification Techniques, AT&T Bell Telephone Laboratories, 1985, pp. 111-130."
}
% Springer-Verlag, LNCS 65



@TechReport{KoskimiesMST96,
  author = 	 "Kai Koskimies and Tatu M{\"a}nnist{\"o} and Tarja
                  Syst{\"a} and Jyrki Tuomi",
  title = 	 "{SCED}: A tool for dynamic modelling of object systems",
  institution =  "University of Tampere, Dept. of Computer Science",
  year = 	 1996,
  number =	 "A-1996-4",
  address =	 "Finland",
  month =	 jul
}


@inproceedings{738238,
 author = {Mike Y. Chen and Emre Kiciman and Eugene Fratkin and Armando Fox and Eric Brewer},
 title = {Pinpoint: Problem Determination in Large, Dynamic Internet Services},
 booktitle = {DSN '02: Proceedings of the 2002 International Conference on Dependable Systems and Networks},
 year = {2002},
 isbn = {0-7695-1597-5},
 pages = {595--604},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
 }


@InProceedings{Liblit:2003:BIRPS,
  author =	 {Ben Liblit and Alex Aiken and Alice X. Zheng and
                  Michael I. Jordan},
  title =	 {Bug Isolation via Remote Program Sampling},
  booktitle =	 PLDI2003,
  pages =        "141--154",
  year =	 2003,
  address =	 PLDI2003addr,
  month =	 PLDI2003date,
  source =
                  {\url{http://www.cs.berkeley.edu/~liblit/bug-isolation/bug-isolation.bib}},
  abstract =
   "We propose a low-overhead sampling infrastructure for gathering information
    from the executions experienced by a program's user community. Several
    example applications illustrate ways to use sampled instrumentation to
    isolate bugs. Assertion-dense code can be transformed to share the cost of
    assertions among many users. Lacking assertions, broad guesses can be made
    about predicates that predict program errors and a process of elimination
    used to whittle these down to the true bug. Finally, even for
    non-deterministic bugs such as memory corruption, statistical modeling
    based on logistic regression allows us to identify program behaviors that
    are strongly correlated with failure and are therefore likely places to
    look for the error."
}




@Misc{LiblitNZAJ2003,
  author = 	 "Ben Liblit and Mayur Naik and Alice X. Zheng and Alex
                  Aiken and Michael I. Jordan",
  title = 	 "Bug isolation in the presence of multiple bugs",
  OPTkey = 	 "",
  OPThowpublished = "Submitted to PLDI 2004",
  OPTmonth = 	 nov,
  OPTyear = 	 2003,
  OPTnote = 	 "",
  OPTannote = 	 "",
  abstract =
   "Software errors are a fact of life, with complex programs exhibiting
    multiple bugs even within a single run. Debugging can be difficult when
    neither the causes nor even the number of distinct errors are known. We
    present a multiple-bug isolation algorithm that operates on sparsely
    sampled data drawn from large numbers of user runs. By identifying those
    program behaviors which significantly increase the likelihood of failure,
    our technique helps guide software engineers to the most significant flaws
    in an application. The approach has connections to statistical hypothesis
    testing, and is validated using a case study of a complex application.",
}



@InProceedings{NainarCRL2007,
  author = 	 "Piramanayagam Arumuga Nainar and Ting Chen and Jake Rosin and Ben Liblit",
  title = 	 "Statistical debugging using compound boolean predicates",
  booktitle =    ISSTA2007,
  NEEDpages = 	 "5--15",
  year = 	 2007,
  address = 	 ISSTA2007addr,
  month = 	 ISSTA2007date,
  abstract =
   "Statistical debugging uses dynamic instrumentation and machine learning
    to identify predicates on program state that are strongly predictive of
    program failure. Prior approaches have only considered simple, atomic
    predicates such as the directions of branches or the return values of
    function calls. We enrich the predicate vocabulary by adding complex
    Boolean formulae derived from these simple predicates. We draw upon
    three-valued logic, static program structure, and statistical
    estimation techniques to efficiently sift through large numbers of
    candidate Boolean predicate formulae. We present qualitative and
    quantitative evidence that complex predicates are practical, precise,
    and informative. Furthermore, we demonstrate that our approach is
    robust in the face of incomplete data provided by the sparse random
    sampling that typies post-deployment statistical debugging.",
}



@Misc{Chapin-Personal-2002,
  author =	 "John Chapin",
  title =	 "Personal communication",
  howpublished = "CTO, Vanu Inc.",
  year =	 2002
}




@InProceedings{AntoniolDP2004,
  author = 	 "Giuliano Antoniol and Massimiliano {Di Penta}",
  title = 	 "A distributed architecture for dynamic analyses on user-profile data",
  booktitle = CMSR2004,
  pages = 	 "319--328",
  year = 	 2004,
  address = 	 CMSR2004addr,
  month = 	 CMSR2004date,
  abstract =
   "Combining static and dynamic information is highly relevant in many reverse
    engineering, program comprehension and maintenance tasks. To allow dynamic
    information reflecting software system usage scenarios, it should be
    collected during a long period of time, in a real user environment. This,
    however, poses several challenges. First and foremost, it is necessary to
    model the extraction of any relevant dynamic information from execution
    traces, thus avoiding to collect a large amount of unmanageable
    data. Second, we need a distributed architecture that allows to collect and
    compress such an information from geographically distributed users. We
    propose a probabilistic model for representing dynamic information, as well
    as a Web-service based distributed architecture for its collection and
    compression. The new architecture has been instantiated to collect
    inter-procedural program execution traces up to a selectable level of
    calling context sensitivity. The paper details the role and
    responsibilities of the architecture components, as well as performance and
    compression ratios achieved on a set of C and Java programs.",
}


@InProceedings{FisherWZW2008,
  author = 	 "Kathleen Fisher and David Walker and Kenny Q. Zhu and Peter White",
  title = 	 "From dirt to shovels: Fully automatic tool generation from ad hoc data",
  booktitle = POPL2008,
  pages = 	 "421--434",
  year = 	 2008,
  address = 	 POPL2008addr,
  month = 	 POPL2008date,
  abstract =
   "An \emph{ad hoc data source} is any semistructured data source for which
    useful data analysis and transformation tools are not readily
    available. Such data must be queried, transformed and displayed by
    systems administrators, computational biologists, financial analysts and
    hosts of others on a regular basis. In this paper, we demonstrate that
    it is possible to generate a suite of useful data processing tools,
    including a semi-structured query engine, several format converters, a
    statistical analyzer and data visualization routines directly from the
    ad hoc data itself, without any human intervention. The key technical
    contribution of the work is a multi-phase algorithm that automatically
    infers the structure of an ad hoc data source and produces a format
    specification in the PADS data description language. Programmers wishing
    to implement custom data analysis tools can use such descriptions to
    generate printing and parsing libraries for the data. Alternatively, our
    software infrastructure will push these descriptions through the PADS
    compiler, creating format-dependent modules that, when linked with
    format-independent algorithms for analysis and transformation, result
    infully functional tools. We evaluate the performance of our inference
    algorithm, showing it scales linearlyin the size of the training data -
    completing in seconds, as opposed to the hours or days it takes to write
    a description by hand. We also evaluate the correctness of the
    algorithm, demonstrating that generating accurate descriptions often
    requires less than 5\% of the available data.",
}










%  LocalWords:  CFG GCD mernst CAV ernst InProceedings RazKS Orna Raz Feng NY
%  LocalWords:  Koopman booktitle addr usesDaikon basefilename raz icse Schulte
%  LocalWords:  PDF PS parsable HangalL Sudheendra Hangal DIDUCE MAJC VP ftfjp
%  LocalWords:  weakenings JSSE HangalCNC Naveen Sridhar Narayanan DAC Tillmann
%  LocalWords:  Sandeep Chakravorty NEEDpages Verix Jin Zhang TechReport Gries
%  LocalWords:  GroceV Groce Visser RIACS USRA supersededby groce tr Xie Upson
%  LocalWords:  PathFinder XieN UWCSE UW CSE UWCSEaddr apr WODA xie ASE Dromey
%  LocalWords:  woda Jtest ase PowerPoint HarderME RatPolyStack abs ExT ChandyM
%  LocalWords:  BinaryHeap sortedness preconds OA PRE emptyset Misc aug Jayadev
%  LocalWords:  JovExplanation howpublished Jov nov dec ICSM iscm EDSER Misra
%  LocalWords:  FL edser SQA Neelam GuptaH gupta Heidepriem def Pytlik Parasoft
%  LocalWords:  PytlikRKR Manos Renieris Shriram Reiss AADEBUG pytlik OPTvolume
%  LocalWords:  aadebug MarianiP Mariani Pezz ZimmermannWDZ Zimmermann Rajeev
%  LocalWords:  Diehl Zeller BrabermanGY Braberman Garbervetsky Yovine Alur Sri
%  LocalWords:  VERIMAG gerber braberman LCTES Universidad De Buenos feb Rance
%  LocalWords:  garbervetsky ir Nakhli Zorgati RV ETAPS ENTCS Mariani's Kurshan
%  LocalWords:  ITALIANinstitution Universit degli Studi di Milano lta Holzmann
%  LocalWords:  Bicocca mariani NEEDaddress NEEDmonth OPTkey OPTmonth cv Doron
%  LocalWords:  OPThowpublished OPTyear OPTnote OPTannote TODOusesDaikon Peled
%  LocalWords:  NEEDnumber BCT sep tis CBS CBSs JH SW SHR HR PhdThesis Leveson
%  LocalWords:  ITALIANschool phd NOdownloads InBook ColinM Severine rtv Amir
%  LocalWords:  Broy Bengt Jonsson Joost Pieter Katoen Leucker LNCS Tosi Pnueli
%  LocalWords:  Pretschner colin DenaroMPT Denaro Davide Taormina jun UC Rushby
%  LocalWords:  denaro acc WoWMoM eccs Quinlan dag Eleusis crx FOCL Coh Shankar
%  LocalWords:  jrnl wcohen FOIL's ch lcdlter Haym Hirsh Sandewall pac Sifakis
%  LocalWords:  Torasso Kaufmann learnability LCSLearn subsumers LCSs ai Prasad
%  LocalWords:  LCS GOLEM subsumer Kohavi Sommerfield MLC url ronnyk sgi Sistla
%  LocalWords:  contributedby com reimplements KohaviS oct inducers WCB Steffen
%  LocalWords:  russell Norvig LangleySBZ Zytkow chunking Xa Xb Xc Stahl Wolper
%  LocalWords:  Glauber componential LNAI Lavrac Dzeroski Grobelnik ISBN Zave
%  LocalWords:  Nonrecursive Kodratoff EWSL Porto cd csilpms Prem ICML Bernhard
%  LocalWords:  Devanbu OMITpublisher ILP iff Cypher Halbert Kurlander CMSVAN
%  LocalWords:  Maulsby Turransky IGNOREpages mrnumber GUIs ijcai aka od Carel
%  LocalWords:  boundedness representability LauDW Lau Domingos pre HPP callno
%  LocalWords:  OPTpages subsumptions phdthesis mitchell vanRijsbergen Scholten
%  LocalWords:  Rijsbergen Butterworths Ehud jan bibdate BC willy Yossi Hoare
%  LocalWords:  SIGOPS genterms annote SIG coden SINODQ ISSN Agrawal Int NSKL
%  LocalWords:  Gehrke Gunopulos Raghavan Rakesh Dimitrios Prabhakar DNF Hari
%  LocalWords:  Ashutosh Tiwary SIGMOD Proc Conf pubmonth pubyear pdf ps Seung
%  LocalWords:  CherniavskyVS Cherniavsky Mahendran Velauthapillai Shawe Mahmut
%  LocalWords:  Statman AnthonyBCST Brightwell doi Hn characterise egr Kandemir
%  LocalWords:  sgr MERL RSW Shrobe rogrammer's pprentice CPTRB INSPEC's Feihui
%  LocalWords:  isp TSE Los RichWaters CMU Statlib lin stat RuleQuest Henzinger
%  LocalWords:  ubist CubistDemo solaris tgz CNF subformulas MOBAL Morik aspdac
%  LocalWords:  Katharina Mobal pos neg metarules esp Hoare's CICS ized ICSEPhD
%  LocalWords:  Kaminsky JOIE ASEjournal InCollection Natarajan DijkstraS co LP
%  LocalWords:  bookpages submittedLCTES Ramakrishnan Srikan outerwear Laff Rok
%  LocalWords:  CORNELLCS Cleaveland Laffra PROCOL Horning Modet LSL NJ olit WI
%  LocalWords:  Boyland Scherlis Alamitos unaliased instanceof usedBy si obcl
%  LocalWords:  CACMA Spivey Jifeng Sufrin ParnasC Lorge Parnas IEEETSE procol
%  LocalWords:  Finney JacksonSS Schechter Ilya Shlyakhter Alcoa's Booch rensen
%  LocalWords:  Rumbaugh Ivar Longman VDM LiskovG Liskov LiskovW toplas SOFTENG
%  LocalWords:  BlackHJLC tse SchaffertCBKW Schaffert Topher Bullis Luca parnas
%  LocalWords:  Kilian Wilpolt oopsla Cardelli IandC AmericavdL der Apre Scully
%  LocalWords:  ZaremskiW Moormann Zaremski tosem Tpre Tpost Apost Qpre mrclass
%  LocalWords:  RELN Spre Qpost Spost Spred Qpred postmatch HarroldRWY Univ MDG
%  LocalWords:  RepsBDL LenceviciusHS CookW fse reengineering NMSU CSTR rigour
%  LocalWords:  jul checkin RNet FSM Ktail BoigelotG Boigelot Godefroid Soci WA
%  LocalWords:  TACAS Twente VeriSoft lncs bisimilar FSMs BratkoG Bratko Liao
%  LocalWords:  Marko AIFIPP Jos Cuena Grobelnik's ijs div Zupanic Osamu Amer
%  LocalWords:  ILPNET COMMUN MUGGLETON GENERAT COMPUT BraGro Muggleton Diwan
%  LocalWords:  DanYKT Seiichiro Takahira Yamaguchi Kakusho Yoshikazu behaviour
%  LocalWords:  Tezuka corrigenda behavioural Robillard Michalakes subarrays CC
%  LocalWords:  LiaoDBGL Anwar Ghuloum SUIF indetectable PPOPP KAP CSL LeinoM
%  LocalWords:  OplingerHLNLO Oplinger Basem Nayfeh Kunle Olukotun TLS ller inv
%  LocalWords:  SPMD Kuck DevabhaktuniPPA Srikrishna Devabhaktuni Dain ESC min
%  LocalWords:  Petkov Georgi Peev Saman Amarasinghe Softspec Saman's sp Modula
%  LocalWords:  Bruening KurlanderF Feiner CUCS Badros Pavlidis's PED IB Ren WY
%  LocalWords:  PavlidisVW Kautz discoplan Gerevini AIPS Artif Intell CsallnerS
%  LocalWords:  Drabble AAAI GereviniS Lenhart MukherjiS Proshanto ICAPS Yannis
%  LocalWords:  Mukherji ATT Rachid Guerraoui mei Hwu ISCA Merten Rajesh Nadya
%  LocalWords:  Gyllenhaal DeGroot Biermann Ramachandran Krishnaswamy Csallner
%  LocalWords:  referencedby autoprogramming FoPeAlCh Perelson Cherukuri Gamboa
%  LocalWords:  Nonself nonself Anil Somayaji diSessa Learnable MillerG Kuzmina
%  LocalWords:  Gujarathi AndritsosM Periklis Andritsos IWPC OLAP LCCN csallner
%  LocalWords:  CDN stoc Angluin Alon aipl Cousot Radhia fixpoint glb KuzminaG
%  LocalWords:  lub fixpoints CousotC popl GannodC Gannod Kluwer orig UWCS ctor
%  LocalWords:  reengineer swapa prehash ChengG TAI AutoSpec overfitting Montr
%  LocalWords:  semno Carsten Gomard Sestoft omitmonth serieseditor pbk Bowring
%  LocalWords:  Jens Palsberg TAPSOFT tapsoft Priyadarshan Kolte pldi Dataflows
%  LocalWords:  Hongwei Pfenning checkability Christoph Hindley Milner Qu bec
%  LocalWords:  Indizierte Typen Karlsruhe SuzukiIsh Norihisa Kiyoshi DSD issta
%  LocalWords:  Ishihata SIGACT wlp BeLS Saddek Bensalem Yassine Hassen Chesley
%  LocalWords:  Lakhnech Saidi PVS unclearly icrs sri Elspas CORrelation Denmat
%  LocalWords:  Smaragdakis Csallner's authorASCII ChesleyRR Xiaoxia DenmatGD
%  LocalWords:  usesDaikonAsTestSubject Arnaud Gotlieb Mireille Ducass GK RenCR
%  LocalWords:  Ducasse WLPE Sitges BowringHR Harrold Rehg CERCS databins sas
%  LocalWords:  databin EvansP MastersThesis Rad Soroush Karimi ElbaumD inline
%  LocalWords:  Elbaum Diep YuanX Hai RETR UML's statechart Brastra OSM gotos
%  LocalWords:  OSMs Weilei DCS WTISD DSdate OMITeditor ICECCS Lorenzoli Basili
%  LocalWords:  LorenzoliMP Cornelis homeostasis Ajeet Trishul Chilimbi Mana UK
%  LocalWords:  Baz Turchin Supercompiler Supercompilation vol Turchin's Jalloy
%  LocalWords:  Massalin's superoptimizer Supercompilers LLC BjBM Nicolaj Levin
%  LocalWords:  Bj rner Anca Zohar Cassis TCSCDI conflocation conftitle BallLX
%  LocalWords:  corpsource Comput Sci pubcountry sponsororg xxauthor CP Fei ISE
%  LocalWords:  Bjorner STeP HenryWF Whaley Forstall UWPI ADT's Givan SAS Ghiya
%  LocalWords:  IAAI WatermanH Caplain VaziriH Mandana Vaziri JeffordsH Hendren
%  LocalWords:  Jeffords Heitmeyer SCR lano Breuer Nicholls Calliss Bod Hummel
%  LocalWords:  DataFlex ShankarB Rastislav Bodik incrementalization Cytron's
%  LocalWords:  incrementalizer incrementalize incrementalizers memoized Shmuel
%  LocalWords:  isOrdered FlanaganJL Taghdiri inlining finitized Hendron's Katz
%  LocalWords:  Nicolau HendrenHumNic Wegbreit IGNOREeditor Haim Kilov NC ack
%  LocalWords:  Rumpe Simmonds etal OMITorganization LeavensBR NOpages Cz nhfb
%  LocalWords:  CatanoH stor Cata Marieke Huisman Catano unassingable bbl Mihai
%  LocalWords:  OCallahan valuepoint O'Callahan SMcC Ramalingam AmmonsBL Dunlop
%  LocalWords:  ArnoutS Karine Arnout Rapha ArnoutM IEnumerable metadata Aneesh
%  LocalWords:  IEnumeration WhaleyML FMCO Sujay HenkelD Henkel retval Yi dir
%  LocalWords:  HashSet IntStack NelsonO Oppen JACM outdegree cdr kbytes Netsky
%  LocalWords:  XElement AgarwalSS Rahul Agarwal Amit Sasturkar Stoller reffrom
%  LocalWords:  SUNY DAR Boyapati PRFJ downloadable Stoller's callees APP jdt
%  LocalWords:  Tamraparni Dasu Muthukrushnan Vladislav Shkapeyuk Ihab OO Cova
%  LocalWords:  Panayiotis Tsaparas Ilyas Volker Markl Ashraf Aboulnaga Kruegel
%  LocalWords:  Larus screenshots BoshernitsanDS Boshernitsan Roongko app Vigna
%  LocalWords:  Doong Savoia FeiM Midkiff Rosenblum PreProcessor TRCS Urs Ciupa
%  LocalWords:  jContractor Karaorman Holzle KaraormanHB ClassLoader Malo ETHZ
%  LocalWords:  Ostrand SFENDP Sigsoft CRL PetersP Yoonsik Cheon Chalin Malware
%  LocalWords:  ENCS SPV Rioux Neno Medvidovic Nenad Rothermel Rui Liu Ko Arati
%  LocalWords:  OSU CISRC HutchinsFGOS RothermelH HarroldRSWY Sayre Tarak Vinod
%  LocalWords:  Goradia controlflow WeissDSAAJ Blackdown evelopment inux Ilinca
%  LocalWords:  O'Reilly Sebastopol BennettLMRRHR Avraham Leff Mikalsen malware
%  LocalWords:  Rayfield Rouvellou Hahm Rasmus DyC Philipose Eggers Aung Baliga
%  LocalWords:  CockrellQuals OLDnote Thaung JacksonW Waingold classfiles Liviu
%  LocalWords:  Womble OMT Womble's Gorlick Balachander Krishnamurthy GCP ACSAC
%  LocalWords:  Hempstead FCTL Laung AraragiK Tadashi Araragi Kogure CTL Iftode
%  LocalWords:  CLIMA Erdos ASA Araragi's NTT Hikaridai Seika cho Souraku Pezze
%  LocalWords:  araragi DemskyR lhs Progol sProgol GiffinJM Giffin Somesh EFSMs
%  LocalWords:  Jha applets Globus SETI RPCs NFA mutithreading gzip SOSP FFTV
%  LocalWords:  procmail Sobalvarro Schlansker JohnsonSch SIGMICRO Das Dy EE de
%  LocalWords:  Jazayeri Schauer LukoitWSH Kazimiras Lukoit Stowell Guido MVC
%  LocalWords:  TraceGraph PythonReferenceManual Rossum Romer Voelker SPE Boehm
%  LocalWords:  PythonLibraryReference Wolman Bershad SrivastavaE Amitabh Abts
%  LocalWords:  Srivastava Eustace SrivastavaW LarusS Schnarr USENIXWinNT FTfJP
%  LocalWords:  RomerVLWWLBC BrueningDA Duesterwald FDDO IconHashing Cha FCEyN
%  LocalWords:  designpatterns Vlissides Multiversion LevesonCKS Shimeall UBA
%  LocalWords:  FTCS Deok ShimeallL Waddell diffs Holtle DZS DeLine Ewan ndez
%  LocalWords:  Zelesnik UniCon BiddleMMWT Tempero SSR gdb tk Dyno eval CovaBFV
%  LocalWords:  MillerWilliamsBT AmmannK Ammann Trans Blum HindPioliSAS webpage
%  LocalWords:  Pioli Hellerstein Avnur Hidber Olston Vijayshankar Raman ISMM
%  LocalWords:  Tali lawyering Cyclomatic Lindholm Yellin LindholmY Aggarwal se
%  LocalWords:  NOpublisher NOyear ArnoldGH Stucki Garlan Ambriola Schach
%  LocalWords:  Tortora Glenford MotwaniR Motwani Halevy ChristodorescuJK
% LocalWords:  Christodorescu isTrivialComponent malwares Symantec Balzarotti
% LocalWords:  Viktoria Felmetsger Swaddler overapproximations KuzminaPGC
% LocalWords:  ContExt PolikarpovaCM Polikarpova ETHZaddr instrumenter Andreas
% LocalWords:  CsallnerSX SchulerDZ Schuler Dallmeier JAVALANCHE OPTcategory
% LocalWords:  OPTbasefilename OPTsummary BaligaGI Ganapathy rootkits rootkit
% LocalWords:  OPTsupersededby OLDdownloads OTHERdownloads addItemToCart
% LocalWords:  IEEESoftware Ockerbloom interoperability MarianiPP Departamento
% LocalWords:  Computaci BrabermanFGY
